Skip to content

support for device entitlement in build and bake#2994

Merged
crazy-max merged 2 commits intodocker:masterfrom
tonistiigi:device-entitlements
Feb 18, 2025
Merged

support for device entitlement in build and bake#2994
crazy-max merged 2 commits intodocker:masterfrom
tonistiigi:device-entitlements

Conversation

@tonistiigi
Copy link
Copy Markdown
Member

@tonistiigi tonistiigi commented Feb 14, 2025

Buildx side of moby/buildkit#5742

Allow access to CDI Devices in Buildkit v0.20.0+ for devices that are not automatically allowed to be used by everyone in BuildKit configuration.

--allow device grants access to any device.
--allow device=kind|name grants access to specific device.
--allow device=kind|name,alias=kind|name allows mapping kind to a specific device or one device to another. Alias is the name requested by the build and device is the actual device that is being enabled.

@tonistiigi tonistiigi added this to the v0.21.0 milestone Feb 14, 2025
tonistiigi
tonistiigi commented Feb 14, 2025
View reviewed changes
Comment thread commands/build.go
flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)

flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
Copy link
Copy Markdown
Member Author

@tonistiigi tonistiigi Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is technically a breaking change but I think StringSlice was accidental. Alias syntax can not be supported with the slice.

Copy link
Copy Markdown
Member

@crazy-max crazy-max Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think it should have been StringArray type in the first place for build. With bake it looks good:

buildx/commands/bake.go

Line 470 in ef73c64

flags.StringArrayVar(&options.allow, "allow", nil, "Allow build to access specified resources")

Would need to adapt build push action to ignore comma:

Looking at https://grep.app/search?regexp=true&q=build.*--allow.*%28security%5C.insecure%7Cnetwork%5C.host%29 it seems people don't use csv values.

There are some in GHA workflows https://grep.app/search?f.path=.github%2Fworkflows%2F&regexp=true&q=allow%3A+.*%28security%5C.insecure%7Cnetwork%5C.host%29 but we can manage this in our action.

@tonistiigi @crazy-max
support for device entitlement in build and bake
0c296fe 
Allow access to CDI Devices in Buildkit v0.20.0+ for
devices that are not automatically allowed to be used by
everyone in BuildKit configuration.

Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: CrazyMax <[email protected]>
@tonistiigi tonistiigi mentioned this pull request Feb 14, 2025
Closed
@crazy-max crazy-max marked this pull request as ready for review February 18, 2025 21:00
@crazy-max crazy-max merged commit cdfc1ed into docker:master Feb 18, 2025
@crazy-max crazy-max mentioned this pull request Feb 18, 2025
Merged
@aevesdocker aevesdocker mentioned this pull request Sep 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees

No one assigned

Labels

area/bake area/build area/cdi area/cli area/dependencies area/docs area/tests status/needs-docs-follow-up

Projects

None yet

Milestone

v0.21.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tonistiigi @crazy-max @jsternberg @aevesdocker