moby · tonistiigi · Dec 30, 2020 · Dec 28, 2020
diff --git a/README.md b/README.md
@@ -60,6 +60,7 @@ You don't need to read this document unless you want to use the full-featured st
     - [`--export-cache` options](#--export-cache-options)
     - [`--import-cache` options](#--import-cache-options)
   - [Consistent hashing](#consistent-hashing)
+- [Systemd socket activation](#systemd-socket-activation)
 - [Expose BuildKit as a TCP service](#expose-buildkit-as-a-tcp-service)
   - [Load balancing](#load-balancing)
 - [Containerizing BuildKit](#containerizing-buildkit)
@@ -126,6 +127,9 @@ By default, the OCI (runc) worker is used. You can set `--oci-worker=false --con
 
 We are open to adding more backends.
 
+To start the buildkitd daemon using systemd socket activiation, you can install the buildkit systemd unit files.
+See [Systemd socket activation](#systemd-socket-activation)
+
 The buildkitd daemon listens gRPC API on `/run/buildkit/buildkitd.sock` by default, but you can also use TCP sockets.
 See [Expose BuildKit as a TCP service](#expose-buildkit-as-a-tcp-service).
 
@@ -370,6 +374,10 @@ consider client-side load balancing using consistent hashing.
 
 See [`./examples/kubernetes/consistenthash`](./examples/kubernetes/consistenthash).
 
+## Systemd socket activation
+
+On Systemd based systems, you can communicate with the daemon via [Systemd socket activation](http://0pointer.de/blog/projects/socket-activation.html), use `buildkitd --addr fd://`.
+You can find examples of using Systemd socket activation with BuildKit and Systemd in [`./examples/systemd`](./examples/systemd).
 ## Expose BuildKit as a TCP service
 
 The `buildkitd` daemon can listen the gRPC API on a TCP socket.

diff --git a/cmd/buildkitd/main.go b/cmd/buildkitd/main.go
@@ -512,6 +512,8 @@ func getListener(addr string, uid, gid int, tlsConfig *tls.Config) (net.Listener
 			logrus.Warnf("TLS is disabled for %s", addr)
 		}
 		return sys.GetLocalListener(listenAddr, uid, gid)
+	case "fd":
+		return listenFD(listenAddr, tlsConfig)
 	case "tcp":
 		if tlsConfig == nil {
 			logrus.Warnf("TLS is not enabled for %s. enabling mutual TLS authentication is highly recommended", addr)

diff --git a/cmd/buildkitd/main_unix.go b/cmd/buildkitd/main_unix.go
@@ -3,9 +3,42 @@
 package main
 
 import (
+	"crypto/tls"
+	"net"
 	"syscall"
+
+	"github.com/coreos/go-systemd/v22/activation"
+	"github.com/pkg/errors"
 )
 
 func init() {
 	syscall.Umask(0)
 }
+
+func listenFD(addr string, tlsConfig *tls.Config) (net.Listener, error) {
+	var (
+		err       error
+		listeners []net.Listener
+	)
+	// socket activation
+	if tlsConfig != nil {
+		listeners, err = activation.TLSListeners(tlsConfig)
+	} else {
+		listeners, err = activation.Listeners()
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(listeners) == 0 {
+		return nil, errors.New("no sockets found via socket activation: make sure the service was started by systemd")
+	}
+
+	// default to first fd
+	if addr == "" {
+		return listeners[0], nil
+	}
+
+	//TODO: systemd fd selection (default is 3)
+	return nil, errors.New("not supported yet")
+}
diff --git a/cmd/buildkitd/main_windows.go b/cmd/buildkitd/main_windows.go
@@ -3,5 +3,13 @@
 package main
 
 import (
+	"crypto/tls"
+	"net"
+
 	_ "github.com/moby/buildkit/solver/llbsolver/ops"
+	"github.com/pkg/errors"
 )
+
+func listenFD(addr string, tlsConfig *tls.Config) (net.Listener, error) {
+	return nil, errors.New("listening server on fd not supported on windows")
+}
diff --git a/examples/systemd/buildkit.service b/examples/systemd/buildkit.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=BuildKit
+Requires=buildkit.socket
+After=buildkit.socket
+Documentation=https://github.com/moby/buildkit
+
+[Service]
+ExecStart=/usr/local/bin/buildkitd --addr fd://
+
+[Install]
+WantedBy=multi-user.target
diff --git a/examples/systemd/buildkit.socket b/examples/systemd/buildkit.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=BuildKit
+Documentation=https://github.com/moby/buildkit
+
+[Socket]
+ListenStream=%t/buildkit/buildkitd.sock
+
+[Install]
+WantedBy=sockets.target
diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/files.go b/vendor/github.com/coreos/go-systemd/v22/activation/files.go
diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go b/vendor/github.com/coreos/go-systemd/v22/activation/listeners.go
diff --git a/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go b/vendor/github.com/coreos/go-systemd/v22/activation/packetconns.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -145,6 +145,7 @@ github.com/containernetworking/cni/pkg/types/current
 github.com/containernetworking/cni/pkg/utils
 github.com/containernetworking/cni/pkg/version
 # github.com/coreos/go-systemd/v22 v22.1.0
+github.com/coreos/go-systemd/v22/activation
 github.com/coreos/go-systemd/v22/daemon
 # github.com/cpuguy83/go-md2man/v2 v2.0.0
 github.com/cpuguy83/go-md2man/v2/md2man