Skip to content

support for device entitlement in build and bake #2994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 18, 2025
Merged

support for device entitlement in build and bake #2994

merged 2 commits into from
Feb 18, 2025

Conversation

@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Feb 14, 2025

Buildx side of moby/buildkit#5742

Allow access to CDI Devices in Buildkit v0.20.0+ for devices that are not automatically allowed to be used by everyone in BuildKit configuration.

--allow device grants access to any device.
--allow device=kind|name grants access to specific device.
--allow device=kind|name,alias=kind|name allows mapping kind to a specific device or one device to another. Alias is the name requested by the build and device is the actual device that is being enabled.

@tonistiigi tonistiigi added this to the v0.21.0 milestone Feb 14, 2025
tonistiigi
tonistiigi commented Feb 14, 2025
View reviewed changes
commands/build.go
flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)

flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
Copy link
Member Author

@tonistiigi tonistiigi Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is technically a breaking change but I think StringSlice was accidental. Alias syntax can not be supported with the slice.

Copy link
Member

@crazy-max crazy-max Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think it should have been StringArray type in the first place for build. With bake it looks good:

buildx/commands/bake.go

Line 470 in ef73c64

flags.StringArrayVar(&options.allow, "allow", nil, "Allow build to access specified resources")

Would need to adapt build push action to ignore comma:

Looking at https://grep.app/search?regexp=true&q=build.*--allow.*%28security%5C.insecure%7Cnetwork%5C.host%29 it seems people don't use csv values.

There are some in GHA workflows https://grep.app/search?f.path=.github%2Fworkflows%2F&regexp=true&q=allow%3A+.*%28security%5C.insecure%7Cnetwork%5C.host%29 but we can manage this in our action.

@tonistiigi @crazy-max
support for device entitlement in build and bake
0c296fe 
Allow access to CDI Devices in Buildkit v0.20.0+ for
devices that are not automatically allowed to be used by
everyone in BuildKit configuration.

Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: CrazyMax <[email protected]>
@tonistiigi tonistiigi mentioned this pull request Feb 14, 2025
Closed
@crazy-max crazy-max marked this pull request as ready for review February 18, 2025 21:00
@crazy-max crazy-max merged commit cdfc1ed into docker:master Feb 18, 2025
129 checks passed
@crazy-max crazy-max mentioned this pull request Feb 18, 2025
Merged
@aevesdocker aevesdocker mentioned this pull request Sep 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees

No one assigned

Labels

area/bake area/build area/cdi area/cli area/dependencies area/docs area/tests status/needs-docs-follow-up

Projects

None yet

Milestone

v0.21.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tonistiigi @crazy-max @jsternberg