Update buildkit (#46)

* Remove duplicate "not found" from some error messages I noticed this when building a Dockerfile that failed because a file didn't exist, so went through error messages that looked like they had a duplicate "not found" in the output; [+] Building 0.9s (6/9) => [internal] load build definition from Dockerfile 0.2s => => transferring dockerfile: 306B 0.0s => [internal] load .dockerignore 0.1s => => transferring context: 2B 0.0s => [internal] load metadata for docker.io/library/alpine:latest 0.0s => CACHED [1/5] FROM docker.io/library/alpine 0.0s => [internal] load build context 0.6s => => transferring context: 701B 0.5s => ERROR [2/5] ADD no-such-file.txt / 0.0s ------ > [2/5] ADD no-such-file.txt /: ------ failed to compute cache key: "/no-such-file.txt" not found: not found Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * git: support subdir component Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Update SSH agent socket handling to support Windows OpenSSH using named pipes. Signed-off-by: Siebe Schaap <siebe@digibites.nl> * Update Windows named pipe handling for SSH forwarding to use x/sys/windows rather than syscall. Signed-off-by: Siebe Schaap <siebe@digibites.nl> * Rename SSH agent forwarding helper parsePlatformSocketPath() to getWindowsPipeDialer(). Signed-off-by: Siebe Schaap <siebe@digibites.nl> * Fix regular expression to test for Windows named pipe in SSH agent path; allowed backslashes in host. Signed-off-by: Siebe Schaap <siebe@digibites.nl> * update to go 1.16 This updates all occurrences of Go 1.13 to Go 1.16; also updated the code that's used to redact credentials in URLs to use the Go implementation. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: update docker and docker cli to v20.10.7 - pkg/signal: ignore SIGURG on all platforms - pkg/archive: use v2 capabilities in layer archives - update ishidawataru/sctp to fix possible socket leak when bind fails docker/cli: - config: print deprecation warning when falling back to ~/.dockercfg Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * hack: update proto generators for arm64 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * test: fix mirror cache handling Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * cache: fix possible nil dereferences Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * move RegistryConfig to resolver package This allows using the resolver package without having to import the buildkit daemon configuration. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * vendor: fix broken gosum Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add hack/shell helper for dev shell environment Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * session: make sure all token request keep correct context Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * filesync: ensure sendclose is always called Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Enable stargz snapshotter to use session for snapshot auth Signed-off-by: ktock <ktokunaga.mail@gmail.com> * Implement low-level parser primitives for heredocs This provides the basic functionality for the parser to recognize and parse provided heredocs in supported commands. Signed-off-by: Justin Chadwell <me@jedevc.com> * Add support for parsing heredocs in ADD/COPY and RUN Signed-off-by: Justin Chadwell <me@jedevc.com> * Integrate heredoc support into ADD/COPY and RUN This modifies the command structures to support inline files, as well as provides the logic to compile them down into appropriate LLB definitions. Signed-off-by: Justin Chadwell <me@jedevc.com> * Add integration tests for dockerfile heredocs Signed-off-by: Justin Chadwell <me@jedevc.com> * Update docker/docker to master / v21.xx-dev (post libnetwork integration) full diff: https://github.com/docker/docker/compare/v20.10.7..0ad2293d0e5b This applies the same / similar local changes to buildkit as were made in the branch that moby is currently vendoring: moby/buildkit@244e8cd...cpuguy83:update_libnetwork_import Unfortunately, this (again) requires a "replace" rule (probably until we tagged a release with this change). Go mod refuses to pick a version from master, and (without the replace rule), does weird, reverting docker to a very old version, predating the sirupsen rename: > [vendored 4/4] RUN --mount=target=/src,rw --mount=target=/go/pkg/mod,type=cache go mod tidy && go mod vendor && mkdir /out && cp -r go.mod go.sum vendor /out: #10 0.500 go: finding github.com/docker/docker 8dbd90ec00daa26dc45d7da2431c965dec99e8b4 #10 0.599 warning: ignoring symlink /src/examples/kube-consistent-hash #10 1.027 go: github.com/moby/buildkit/util/testutil/integration imports #10 1.027 github.com/docker/docker/testutil/daemon imports #10 1.027 github.com/docker/docker/opts imports #10 1.027 github.com/docker/libnetwork/ipamutils imports #10 1.027 github.com/docker/libnetwork/osl imports #10 1.027 github.com/Sirupsen/logrus: github.com/Sirupsen/logrus@v1.8.1: parsing go.mod: #10 1.027 module declares its path as: github.com/sirupsen/logrus #10 1.027 but was required as: github.com/Sirupsen/logrus ------ error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c go mod tidy && go mod vendor && mkdir /out && cp -r go.mod go.sum vendor /out]: exit code: 1 make: *** [vendor] Error 1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * Fix doc about Stargz Snapshotter and registry authentication Signed-off-by: ktock <ktokunaga.mail@gmail.com> * dockerfile: add documentation for here-docs Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add differ support for local source Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: don't allow content diff for now Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Fix file modes with remote ADD commands Signed-off-by: Justin Chadwell <me@jedevc.com> * cache: avoid concurrent maps write on prune remove() needs to be called while holding the manager lock Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * metadata: hold lock on storageitem update The locks usage is mixed up because two locks separate locks are actually needed. With a specific lock, calls to SetValue can be protected. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Dockerfile: install fuse-overlayfs from apk fuse-overlayfs is available as an apk since Alpine 3.14. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * vendor: update vt100 to fork and remove replace rule Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add support for opentelemetry Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * replace opentracing with opentelemetry tracers Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * hack: avoid updating generated proto version This can be done as a separate change when needed. Also should analyze if this would affect the gogo incompatibility issues with newer proto. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * session: avoid tracing health checkpoint Upstream fixes needed for cleaner solution Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * disable otel error logging Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * correctly validate span from context Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: ensure config resolve errors keep source location Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * remove go fork for building windows/arm64 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Dockerfile: remove nsswitch as default in go1.16 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * retryhandler: use net.ErrClosed for error check Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * replace uses of deprecated containerd/sys.RunningInUserNS() This utility was moved to a separate package, which has no dependencies. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * integration: add common context base to all integration tests Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * vendor: update opentelemetry to 1.0.0-rc Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add current tracing context detection and exec propagation Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit bc9a83144c83e9fd78007b7bfe92e8082c59d40e) * add transform package to convert from otlp Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * tracing: add delegated exporter Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * otlgrpc: provide a way to get otlp client from grpc conn Hopefully this can be removed with a future upstream change that could make this configurable. The package also needs internal dependency that is copied in. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * enable collecting traces via control api Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * support collecting traces from llb.Exec Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * client: pass delegated exporter as parameter Avoid client package having dependency on global detect package. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * update runc binary to v1.0.0 GA Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * handle unconfigured spans without errors Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: add constraints to vertex and validate Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: add constraints to async llb Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: ensure meta resolver uses platform form constraints Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * flightcontrol: reduce contention between goroutines Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Avoid nil pointer dereference when copying from image with no layers Fix this panic when copying from an image with no layers: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0xdd8c17] goroutine 326 [running]: github.com/moby/buildkit/cache/contenthash.(*cacheManager).Checksum(0xc0005ec030, 0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, ...) /src/cache/contenthash/checksum.go:95 +0x37 github.com/moby/buildkit/cache/contenthash.Checksum(0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, 0x0, ...) /src/cache/contenthash/checksum.go:59 +0xd5 github.com/moby/buildkit/solver/llbsolver.NewContentHashFunc.func1.1(0x0, 0x4425d6) /src/solver/llbsolver/result.go:59 +0x20a golang.org/x/sync/errgroup.(*Group).Go.func1(0xc00056a360, 0xc000594510) /src/vendor/golang.org/x/sync/errgroup/errgroup.go:57 +0x59 created by golang.org/x/sync/errgroup.(*Group).Go /src/vendor/golang.org/x/sync/errgroup/errgroup.go:54 +0x66 ``` When the path is "/", we allow it because it's a noop. Based on moby#2185 Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Add test for copying from scratch Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Check that scratch is mounted as empty dir Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Make error message consistent when layer is empty Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Test with tonistiigi/test:nolayers as well Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * ensure containerd io is complete and closed before returning Signed-off-by: Cory Bennett <cbennett@netflix.com> * [moby#2112] progress.Controller should own the progress.Writer to prevent leaks Signed-off-by: Cory Bennett <cbennett@netflix.com> * [moby#2112] progress.FromContext returns a writer factory this allows progress.Controller to manage the writer lifecycle Signed-off-by: Cory Bennett <cbennett@netflix.com> * contenthash: use SeekLowerBound to seek radix tree Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: fix git version detection Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Add support for heredocs with ONBUILD Signed-off-by: Justin Chadwell <me@jedevc.com> * dockerfile: use none differ for dockerfile/dockerignore This avoids wrong metadata matches on small files Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * progressui: print logs for failed step as summary in plain mode Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * grpcerrors: avoid rpc error wrapping in error messages Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * exec: improve error message on exec errors Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Improve heredoc parsing to allow more generic words Previously, heredoc names were restricted to simple alphanumeric strings. However, heredocs should support much more complex use-cases, including quoting anywhere, as well as allowing special symbols like `.` for easily expressing file extensions. This patch adds support for these more complex cases, by using the shell lexer to parse each heredoc name. Additionally, we include improvements to the lexer to optionally preserve escape tokens to avoid problems when lexing words that have already been lexed before. Signed-off-by: Justin Chadwell <me@jedevc.com> * Improve progress and history messages for heredoc-related commands Signed-off-by: Justin Chadwell <me@jedevc.com> * Remove unneeded Finalize method from ImmutableRef. Finalize was only used outside the cache package in one place, which called it with the commit arg set to false. The code path followed when commit==false turned out to essentially be a no-op because it set "retain cache" to true if it was already set to true. It was thus safe to remove the only external call to it and remove it from the interface. This should be helpful for future efforts to simplify the equal{Mutable,Immutable} fields in cacheRecord, which exist due to the "lazy commit" feature that Finalize is tied into. Signed-off-by: Erik Sipsma <erik@sipsma.dev> * Fix ref leak if fileop ref fails to mount. Signed-off-by: Erik Sipsma <erik@sipsma.dev> * enable riscv64 build Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Update QEMU emulators Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> * fixes to work with buildkit master Co-authored-by: Sebastiaan van Stijn <github@gone.nl> Co-authored-by: Tonis Tiigi <tonistiigi@gmail.com> Co-authored-by: Siebe Schaap <siebe@digibites.nl> Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com> Co-authored-by: ktock <ktokunaga.mail@gmail.com> Co-authored-by: Justin Chadwell <me@jedevc.com> Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com> Co-authored-by: Aaron Lehmann <alehmann@netflix.com> Co-authored-by: Cory Bennett <cbennett@netflix.com> Co-authored-by: Erik Sipsma <erik@sipsma.dev> Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
earthly · Jul 7, 2021 · 467c8f2 · 467c8f2
1 parent 0002590
commit 467c8f2
Show file tree

Hide file tree

Showing 975 changed files with 105,465 additions and 38,730 deletions.
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -71,26 +71,34 @@ make images
 Running tests:
 
 ```bash
-make test
+./hack/test integration gateway dockerfile
 ```
 
-This runs all unit and integration tests in a containerized environment.
+This runs all unit and integration tests, gateway client and dockerfile tests in a containerized environment.
 Locally, every package can be tested separately with standard Go tools, but
 integration tests are skipped if local user doesn't have enough permissions or
-worker binaries are not installed.
+worker binaries are not installed. The dockerfile tests run by first building new Dockerfile frontend
+image and then loading it to the test environment. Builtin Dockerfile frontend can be tested with regular
+integration tests.
 
 ```bash
 # test a specific package only
-make test TESTPKGS=./client
+TESTPKGS=./client ./hack/test integration
 
 # run a specific test with all worker combinations
-make test TESTPKGS=./client TESTFLAGS="--run /TestCallDiskUsage -v"
+TESTPKGS=./client TESTFLAGS="--run /TestCallDiskUsage -v" ./hack/test integration
 
 # run all integration tests with a specific worker
 # supported workers: oci, oci-rootless, containerd, containerd-1.1
-make test TESTPKGS=./client TESTFLAGS="--run //worker=containerd -v"
+TESTPKGS=./client TESTFLAGS="--run //worker=containerd -v" ./hack/test integration
+
+# run a specific dockerfile test only on labs channel
+DOCKERFILE_RELEASES=labs TESTFLAGS="--run /TestRunGlobalNetwork/worker=oci$/ -v" ./hack/test dockerfile
 ```
 
+Set `TEST_KEEP_CACHE=1` for the test framework to keep external dependant images in a docker volume
+if you are repeatedly calling `./hack/test` script. This helps to avoid rate limiting on the remote registry side.
+
 Updating vendored dependencies:
 
 ```bash

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,7 +18,7 @@ env:
   REPO_SLUG_ORIGIN: "moby/buildkit:latest"
   REPO_SLUG_TARGET: "moby/buildkit"
   DF_REPO_SLUG_TARGET: "docker/dockerfile-upstream"
-  PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le"
+  PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le,linux/riscv64"
   CACHEKEY_INTEGRATION_TESTS: "integration-tests"
   CACHEKEY_BINARIES: "binaries"
   CACHEKEY_CROSS: "cross"
@@ -169,7 +169,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.13
+          go-version: 1.16
       -
         name: Cache Go modules
         uses: actions/cache@v2

diff --git a/.golangci.yml b/.golangci.yml
@@ -8,6 +8,7 @@ run:
   build-tags:
     - dfrunsecurity
     - dfrunnetwork
+    - dfheredoc
 
 linters:
   enable:

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax = docker/dockerfile:1.2
 
-ARG RUNC_VERSION=v1.0.0-rc95
+ARG RUNC_VERSION=v1.0.0
 ARG CONTAINERD_VERSION=v1.5.2
 # containerd v1.4 for integration tests
 ARG CONTAINERD_ALT_VERSION=v1.4.6
@@ -10,27 +10,25 @@ ARG REGISTRY_VERSION=2.7.1
 ARG ROOTLESSKIT_VERSION=v0.14.2
 ARG CNI_VERSION=v0.9.1
 ARG SHADOW_VERSION=4.8.1
-ARG FUSEOVERLAYFS_VERSION=v1.5.0
 ARG STARGZ_SNAPSHOTTER_VERSION=v0.5.0
 
-ARG ALPINE_VERSION=3.12
+ARG ALPINE_VERSION=3.14
 
 # git stage is used for checking out remote repository sources
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS git
 RUN apk add --no-cache git
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:810dc54d5144f133a218e88e319184bf8b9ce01d37d46ddb37573e90decd9eef AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:1e96844fadaa2f9aea021b2b05299bc02fe4c39a92d8e735b93e8e2b15610128 AS xx
 
-FROM --platform=$BUILDPLATFORM golang:1.13-alpine AS gostable
 FROM --platform=$BUILDPLATFORM golang:1.16-alpine AS golatest
 
-FROM gostable AS go-linux
+FROM golatest AS go-linux
 FROM golatest AS go-darwin
 FROM golatest AS go-windows-amd64
 FROM golatest AS go-windows-386
 FROM golatest AS go-windows-arm
-FROM --platform=$BUILDPLATFORM tonistiigi/golang:497feff1-alpine AS go-windows-arm64
+FROM --platform=$BUILDPLATFORM golang:1.17beta1-alpine AS go-windows-arm64
 FROM go-windows-${TARGETARCH} AS go-windows
 
 # gobuild is base stage for compiling go/cgo
@@ -51,7 +49,7 @@ WORKDIR $GOPATH/src/github.com/opencontainers/runc
 ARG TARGETPLATFORM
 # gcc is only installed for libgcc
 # lld has issues building static binaries for ppc so prefer ld for it
-RUN set -e; xx-apk add musl-dev gcc libseccomp-dev; \
+RUN set -e; xx-apk add musl-dev gcc libseccomp-dev libseccomp-static; \
   [ "$(xx-info arch)" != "ppc64le" ] || XX_CC_PREFER_LINKER=ld xx-clang --setup-target-triple
 RUN --mount=from=runc-src,src=/usr/src/runc,target=. --mount=target=/root/.cache,type=cache \
   CGO_ENABLED=1 xx-go build -mod=vendor -ldflags '-extldflags -static' -tags 'apparmor seccomp netgo cgo static_build osusergo' -o /usr/bin/runc ./ && \
@@ -91,8 +89,8 @@ RUN --mount=target=. --mount=target=/root/.cache,type=cache \
 
 FROM scratch AS binaries-linux-helper
 COPY --from=runc /usr/bin/runc /buildkit-runc
-# built from https://github.com/tonistiigi/binfmt/runs/1743699129
-COPY --from=tonistiigi/binfmt:buildkit@sha256:75583ce1cf4a7166fd2592f45e4ff3f53727eee6edcd3a3e804f749b1f214a39 / /
+# built from https://github.com/tonistiigi/binfmt/releases/tag/buildkit%2Fv6.0.0-15
+COPY --from=tonistiigi/binfmt:buildkit@sha256:81a03e6630e9c39df109bf24ae8c807881c4fd1703084827d855f8093cc7ab7a / /
 FROM binaries-linux-helper AS binaries-linux
 COPY --from=buildctl /usr/bin/buildctl /
 COPY --from=buildkitd /usr/bin/buildkitd /
@@ -116,13 +114,10 @@ RUN --mount=from=binaries \
 FROM scratch AS release
 COPY --from=releaser /out/ /
 
-FROM alpine:${ALPINE_VERSION} AS buildkit-export
-# nsswitch.conf needs to be present to work around
-#   https://github.com/golang/go/issues/35305
-# drop this once we start building with Go 1.16
+# tonistiigi/alpine supports riscv64
+FROM tonistiigi/alpine:${ALPINE_VERSION} AS buildkit-export
 RUN apk add --no-cache fuse3 git openssh pigz xz \
-  && ln -s fusermount3 /usr/bin/fusermount \
-  && echo "hosts: files dns" >/etc/nsswitch.conf
+  && ln -s fusermount3 /usr/bin/fusermount
 COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
 VOLUME /var/lib/buildkit
 
@@ -151,6 +146,7 @@ RUN --mount=from=containerd-src,src=/usr/src/containerd,readwrite --mount=target
 # containerd v1.4 for integration tests
 FROM containerd-base as containerd-alt
 ARG CONTAINERD_ALT_VERSION
+ARG GO111MODULE=off
 RUN --mount=from=containerd-src,src=/usr/src/containerd,readwrite --mount=target=/root/.cache,type=cache \
   git fetch origin \
   && git checkout -q "$CONTAINERD_ALT_VERSION" \
@@ -183,16 +179,6 @@ RUN --mount=target=/root/.cache,type=cache \
   xx-verify --static /out/containerd-stargz-grpc && \
   xx-verify --static /out/ctr-remote
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS fuse-overlayfs
-RUN apk add --no-cache curl
-COPY --from=xx / /
-ARG FUSEOVERLAYFS_VERSION
-ARG TARGETPLATFORM
-RUN mkdir /out && \
-  curl -sSL -o /out/fuse-overlayfs https://github.com/containers/fuse-overlayfs/releases/download/${FUSEOVERLAYFS_VERSION}/fuse-overlayfs-$(xx-info march) && \
-  chmod +x /out/fuse-overlayfs && \
-  xx-verify --static /out/fuse-overlayfs
-
 # Copy together all binaries needed for oci worker mode
 FROM buildkit-export AS buildkit-buildkitd.oci_only
 COPY --from=buildkitd.oci_only /usr/bin/buildkitd.oci_only /usr/bin/
@@ -264,9 +250,10 @@ ENV BUILDKIT_RUN_NETWORK_INTEGRATION_TESTS=1 BUILDKIT_CNI_INIT_LOCK_PATH=/run/bu
 FROM integration-tests AS dev-env
 VOLUME /var/lib/buildkit
 
-# newuidmap & newgidmap binaries (shadow-uidmap 4.7-r1) shipped with alpine cannot be executed without CAP_SYS_ADMIN,
+# newuidmap & newgidmap binaries (shadow-uidmap 4.8.1-r0) shipped with alpine cannot be executed without CAP_SYS_ADMIN,
 # because the binaries are built without libcap-dev.
 # So we need to build the binaries with libcap enabled.
+# TODO: ask the Alpine upstream to enable libcap: https://github.com/moby/buildkit/issues/2038
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS idmap
 RUN apk add --no-cache git autoconf automake clang lld gettext-dev libtool make byacc binutils
 COPY --from=xx / /
@@ -281,21 +268,16 @@ RUN CC=$(xx-clang --print-target-triple)-clang ./autogen.sh --disable-nls --disa
   && cp src/newuidmap src/newgidmap /usr/bin
 
 # Rootless mode.
-FROM alpine:${ALPINE_VERSION} AS rootless
-RUN apk add --no-cache fuse3 git openssh pigz xz
+FROM tonistiigi/alpine:${ALPINE_VERSION} AS rootless
+RUN apk add --no-cache fuse3 fuse-overlayfs git openssh pigz xz
 COPY --from=idmap /usr/bin/newuidmap /usr/bin/newuidmap
 COPY --from=idmap /usr/bin/newgidmap /usr/bin/newgidmap
-COPY --from=fuse-overlayfs /out/fuse-overlayfs /usr/bin/
 # we could just set CAP_SETUID filecap rather than `chmod u+s`, but requires kernel >= 4.14
-# nsswitch.conf needs to be present to work around
-#   https://github.com/golang/go/issues/35305
-# drop this once we start building with Go 1.16
 RUN chmod u+s /usr/bin/newuidmap /usr/bin/newgidmap \
   && adduser -D -u 1000 user \
   && mkdir -p /run/user/1000 /home/user/.local/tmp /home/user/.local/share/buildkit \
   && chown -R user /run/user/1000 /home/user \
-  && echo user:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-  && echo "hosts: files dns" >/etc/nsswitch.conf
+  && echo user:100000:65536 | tee /etc/subuid | tee /etc/subgid
 COPY --from=rootlesskit /rootlesskit /usr/bin/
 COPY --from=binaries / /usr/bin/
 COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/

diff --git a/cache/blobs.go b/cache/blobs.go
@@ -31,7 +31,7 @@ func (sr *immutableRef) computeBlobChain(ctx context.Context, createIfNeeded boo
 		return errors.Errorf("missing lease requirement for computeBlobChain")
 	}
 
-	if err := sr.Finalize(ctx, true); err != nil {
+	if err := sr.finalizeLocked(ctx); err != nil {
 		return err
 	}
 
@@ -174,7 +174,7 @@ func (sr *immutableRef) setBlob(ctx context.Context, desc ocispec.Descriptor) er
 		return nil
 	}
 
-	if err := sr.finalize(ctx, true); err != nil {
+	if err := sr.finalize(ctx); err != nil {
 		return err
 	}
 

diff --git a/cache/contenthash/checksum.go b/cache/contenthash/checksum.go
@@ -91,6 +91,12 @@ type cacheManager struct {
 }
 
 func (cm *cacheManager) Checksum(ctx context.Context, ref cache.ImmutableRef, p string, opts ChecksumOpts, s session.Group) (digest.Digest, error) {
+	if ref == nil {
+		if p == "/" {
+			return digest.FromBytes(nil), nil
+		}
+		return "", errors.Errorf("%s: no such file or directory", p)
+	}
 	cc, err := cm.GetCacheContext(ctx, ensureOriginMetadata(ref.Metadata()), ref.IdentityMapping())
 	if err != nil {
 		return "", nil
@@ -509,18 +515,19 @@ func (cc *cacheContext) includedPaths(ctx context.Context, m *mount, p string, o
 	root = txn.Root()
 	var (
 		updated bool
-		iter    *iradix.Seeker
+		iter    *iradix.Iterator
 		k       []byte
 		kOk     bool
 	)
 
+	iter = root.Iterator()
+
 	if opts.Wildcard {
-		iter = root.Seek([]byte{})
 		k, _, kOk = iter.Next()
 	} else {
 		k = convertPathToKey([]byte(p))
 		if _, kOk = root.Get(k); kOk {
-			iter = root.Seek(k)
+			iter.SeekLowerBound(append(append([]byte{}, k...), 0))
 		}
 	}
 
@@ -721,7 +728,7 @@ func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *ir
 		return nil, false, err
 	}
 	if cr == nil {
-		return nil, false, errors.Wrapf(errNotFound, "%q not found", convertKeyToPath(origk))
+		return nil, false, errors.Wrapf(errNotFound, "%q", convertKeyToPath(origk))
 	}
 	if cr.Digest != "" {
 		return cr, false, nil
@@ -732,7 +739,8 @@ func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *ir
 	case CacheRecordTypeDir:
 		h := sha256.New()
 		next := append(k, 0)
-		iter := root.Seek(next)
+		iter := root.Iterator()
+		iter.SeekLowerBound(append(append([]byte{}, next...), 0))
 		subk := next
 		ok := true
 		for {
@@ -750,7 +758,8 @@ func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *ir
 
 			if subcr.Type == CacheRecordTypeDir { // skip subfiles
 				next := append(subk, 0, 0xff)
-				iter = root.Seek(next)
+				iter = root.Iterator()
+				iter.SeekLowerBound(next)
 			}
 			subk, _, ok = iter.Next()
 		}