------------------------------------------------------------------- Thu Feb 01 16:36:18 UTC 2024 - dcermak@suse.com - Update to version 0.12.5: * update runc to v1.1.12 * exec: add extra validation for submount sources (fixes CVE-2024-23651, bsc#1219267) * oci: fix error handling on submount calls * executor: recheck mount stub path within root after container run (fixes CVE-2024-23652, bsc#1219268) * llbsolver: make sure interactive container API validates entitlements (fixes CVE-2024-23653, bsc#1219438) * gateway: pass executor with build and not access worker directly * pb: add extra validation to protobuf types * sourcepolicy: add validations for nil values * exporter: add validation for platforms key value * exporter: add validation for invalid platorm * exporter: validate null config metadata from gateway * ci: disable push if not upstream repo * hack: use git context only for upstream repo * hack/test: allow ALPINE_VERSION to be set from env * hack: align syntax * vendor: github.com/cyphar/filepath-securejoin v0.2.4 * tracing: allow the `Resource` to be set externally ------------------------------------------------------------------- Mon Dec 04 13:14:41 UTC 2023 - fredrik.lonnegren@suse.com - Update to version 0.12.4: * Fix possible concurrent map access on remote cache export * Fix hang on debug server listener * Fix possible deadlock in History API under high number of parallel builds * Fix possible panic on handling deleted records in History API * Fix possible data corruption in zstd library - Update to version 0.12.3: * Fix possible duplicate source files in provenance attestation for chained builds * Fix possible negative step time in progressbar for step shared with other build request * Fix properly closing history and cache DB on shutdown to avoid corruption * Fix incorrect error handling for invalid HTTP source URLs * Fix fallback cases for ambiguous insecure configuration provided for registry used as push target. * Fix possible data race with parallel image config resolves * Fix regression in v0.12 for clients waiting on buildkitd to become available * Fix Cgroup NS handling for hosts supporting only CgroupV1 - Update to version 0.12.2: * Fix possible discarded network error when exporting result to client * Avoid unnecessary memory allocations when writing build progress ------------------------------------------------------------------- Wed Aug 02 21:37:05 UTC 2023 - elimat@opensuse.org - Update to version 0.12.1: * executor: fix resource sampler goroutine leak * [v0.11] make tracing socket forward error non-fatal * integration: missing env var to check feature compat * test: update pinned busybox image to 1.36 * test: update pinned alpine image to 3.18 * vendor: github.com/docker/docker 8e51b8b59cb8 (master, v25.0.0-dev) * executor/resource: stub out NewSysSampler on Windows * vendor: github.com/docker/cli v24.0.4 * testutil: move CheckContainerdVersion to a separate package * llbsolver: fix policy rule ordering * filesync: fix backward compatibility with encoding + and % * hack: allow to set GO_VERSION during tests * test: always disable tls for dockerd worker * buildctl: set max backoff delay to 1 second * contenthash: data race * filesync: escape special query characters * applier: add hack to support docker zstd layers * Fix various nits * pullprogress data race * use sampler lock instead * Fix ResolveImageConfig to evaluate source policy * sampler data race fix * update cgroup parent test to work with cgroupns * Revert "specify a `ResponseHeaderTimeout` value" * oci: make sure cgroupns is enabled if supported * bash lint fix * rename BUILDFLAGS to GOBUILDFLAGS * allow ENOTSUP for PSI cgroup files * containerimage: use platform matcher to detect platform to unpack * exporter: silently skip unpacking unknown reference * improve error handling in ReadFile * dockerfile: arg for controlling go build flags * dockerfile: arg to enable go race detection * Add support for health start interval * Re-vendor moby/moby * filesync: mark if options have been encoded to detect old versions * dockerfile: heredoc should use 0644 permissions * docs: update README to reference OpenTelemetry instead of OpenTracing * gateway: restore original filename in ReadFile error message * Dockerfile: update containerd to v1.7.2 * Use system.ToSlash() instead of filepath.ToSlash() * Revert most changes to client/llb * Remove Architecture * Default to linux in client * Ensure we use proper path separators * Set default platform * Add nil pointer check in dispatchWorkdir * Remove nil pointer check and extra NormalizePath * Rename variable, remove superfluous check * Use current OS as a default * Handle file paths base on target platform * exporter: unlazy references in parallel * exporter: simplify unlazy references to reduce duplication * exporter: allow unpack on multi-platform images * tests: add unpack to scratch export test * overlay: set whiteout timestamps to 1970-01-01 (not to SOURCE_DATE_EPOCH) * dockerfile: graduate `ADD --checksum=` from labs * dockerfile: graduate `ADD ` from labs * dockerfile: mod-outdated target to check modules updates * dockerfile: use xx in dnsname stage * dockerfile: install musl-dev to fix compilation issue * dockerfile: update Alpine to 3.18 * vendor: update fsutil to 36ef4d8 * export(local): split opt * buildctl: Provide --wait option * containerimage: support SOURCE_DATE_EPOCH for CreatedAt * move flightcontrol to use generics * containerimage: keep layer labels for exported images * shell: start shell from cmd, not entrypoint * sbom: propogate image-resolve-mode for generator image * client: add extra debug to tests * handle missing provenance for non-evaluated result * tests: add provenance test for duplicate platform * tests: add provenance test for when context directory does not exist * forward: make BridgeClient public for lint * gateway: enable named contexts for gateway frontend * vendor: update vt100 with resize panic fix * docs: dockerfile: remove "known issues" related to AuFS * docs: add running instruction to CONTRIBUTING.md * tests: add worker close method to interface * add and check for gateway.exec.secretenv cap * move Secretenv from Meta to InitMessage * support passing SecretEnv to gateway containers * Add comment, update from review * Fix issue with digest merge (inconsistent graph state) * docs: add helper commands section to CONTRIBUTING.md * docs: update CONTRIBUTING.md whitespace formatting * integration: fix not deleting dockerd workdir * remove uses of deprecated ResolverOptions.Client * filesync: fix handling non-ascii in file paths * tests: add test for unicode filenames * Adding more docs to client/llb * Add special case for rw bind mounts * vendor: github.com/docker/cli v24.0.2 * vendor: github.com/docker/docker v24.0.2 * progressui: fix index printing on partial rows * gateway: wrap ExecProcessServer Send calls with a mutex * resources: make maxsamples configurable * llbsolver: add systemusage samples to provenance attestation * resources: store sys cpu usage per step * resources: add sampler for periodic stat reads * resources: CNI network usage sampling support * resources: add build step resource tracking via cgroups * solver: lock before using actives * Emulate "bind" mounts using the bind filter * Fix mount layers on host * llbsolver: set temporary lease in Commit context * Update containerd dependency * exporter: Add exptypes with Common exporter keys * exporter/image/exptypes: Make strongly typed * solver: move AddBuildConfig into llbsolver package * tests: add test to check url format for image loaded from oci layout * solver: mark locally loaded images as such * solver: merge local and remote images into single list * purl: allow RefToPURL to take a type parameter * tests: don't use purl code to test itself * Use linux as a default for inputOS * Add path handling functions * response to comments * containerimage: Export option keys * vendor: update spdx/tools-golang to v0.5.1 * exporter: remove non dist options from tar exporter * exporter: move fs opt parsing to method * tests: fixup attestation tar to not panic when file not found * git: set umask without reexec * add language property for sourcemap * dockerfile/docs: add set -ex to heredoc #3870 * authprovider: fix a bug where registry-1.docker.io auth was always a cache miss * response to comments * tracing: fix buildx tracing delegation * Update continuity and fsutil * cache: add a few more fields to ref trace logs. * vendor: github.com/containerd/go-runc v1.1.0 * provenance: fix possible empty digest access * vendor: fix broken vendoring * dockerfile: bump up nerdctl to v1.4.0 * bump nydus-snapshotter dependence to v0.8.2 * vendor: github.com/docker/cli v24.0.1 * vendor: github.com/docker/docker v24.0.1 * vendor: github.com/containerd/containerd v1.7.1 * vendor: github.com/Microsoft/hcsshim v0.10.0-rc.8 * vendor: github.com/Microsoft/go-winio v0.6.1 * vendor: golang.org/x/sys v0.7.0 * vendor: github.com/containerd/typeurl/v2 v2.1.1 * chore: bump spdx tools * Fix typo in attestation-storage.md * vendor: github.com/docker/cli v24.0.0 * vendor: github.com/docker/docker v24.0.0 * vendor: github.com/opencontainers/runc v1.1.7 * vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2 * vendor: github.com/klauspost/compress v1.16.3 * Dockerfile: CONTAINERD_VERSION=v1.7.1 * Dockerfile: CONTAINERD_ALT_VERSION_16=v1.6.21 * Dockerfile: RUNC_VERSION=v1.1.7 * session: avoid logging healthcheck error on canceled connection * session: fix run and close synchronization * testutil: update ReadImages to fallback to reading manifest * Add trace logs for cache leaks. * Add some doc strings for LLB functions * attestations: move containerd media type warnings * update generated proto files * attestations: replace intoto media type with vendored const * nydus: bump nydus versions in Dockerfile and doc * feedback changes for moby/buildkit #2251 * testutil: expose underlying docker address for supported workers * testutil: expose integration workers as public * remove type aliases for leasemanager/contentstore * llbsolver: move history blobs to a separate namespace * build(deps): bump github.com/docker/distribution * added import/export support for OCI compatible image manifest version of cache manifest (opt-in on export, inferred on import) moby/buildkit #2251 * llb: carry platform from inputs for merge/diff * llb: don't include platform in fileop * control: fix possible deadlock on network error * exporter/containerimage: remove redundant type for var declaration * Fix not to set the value on empty vertex * Fix to import as digest * cache: always release ref when getting size in usage. * Drop unneeded variable * ssh: add fallback to ensure conn is closed in all cases. * vendor: github.com/opencontainers/image-spec v1.1.0-rc3 * vendor: github.com/docker/cli v23.0.5 * vendor: github.com/docker/docker v23.0.5 * nydus: update nydus-snapshotter dependency to v0.8.0 * progressui: fix possible zero prefix numbers in logs * llbsolver: send active event only to current client * llbsolver: send delete status event * llbsolver: filter out records marked deleted from list responses * Add Windows service support * docs: fixup build repro doc with updated policy format * test: use appropriate snapshotter service to walk snapshots * overlay: use function to check for overlay-based mounts * Update uses of Image platform fields in OCI image-spec * allow setting user agent products * Bump up golangci-lint to v1.52.2 * chore: tidy up duplicated imports * solver: Release unused refs in LoadWithParents * Avoid panic on parallel walking on DefinitionOp * solver: skip sbom post processor if result is nil * vendor: github.com/docker/docker v23.0.4 * vendor: github.com/docker/cli v23.0.4 * vendor: golang.org/x/time v0.3.0 * vendor: github.com/docker/cli v23.0.2 * vendor: github.com/docker/docker v23.0.2 * test: don't hang if a process doesn't run * ci: put worker name first for better UX in actions * go.mod: remove github.com/kr/pretty * Revert "Problem: can't use anonymous S3 credentials" * go.mod: bump up runc to v1.1.6 * go.mod: Bump up stargz-snapshotter to v0.14.3 * dockerfile: bump up stargz-snapshotter to v0.14.3 * dockerfile: bump up runc to v1.1.6 * buildkitd: add grpc reflection * Bump up nerdctl to 1.3.0 * Bump up containerd 1.6.20 * Fix gzip decoding of HTTP sources. * ci: update runner os to ubuntu 22.04 * Fix bearer token expiration check (fixes #3779) * docs: update buildkitd.toml with new field info * buildkitd: allow durations for gc config * buildkitd: allow multiple units for gc config * dockerui: expose context detection functions as public * Prevent overflow of runc exit code. * Upgrade to latest go-runc. * runc worker: fix sigkill handling * Dockerfile: RUNC_VERSION=v1.1.5 * client: add client opts to enable system certificates * Make ClientOpts type safe * build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 * fileop: create new fileOpSolver instance per Exec call * Provide CacheManager to Controller instead of CacheKeyManager. * http: ensure HEAD and GET requests have same headers * docs: add auto-generated sections to buildctl.md * client: allow grpc dial option passthrough * cni: simplify netns creation * add Bass to list of LLB languages * llbsolver: fix sorting of history records * llbsolver: Fix performance of recomputeDigests * solve: use comparables instead of reflection in result struct * vendor: github.com/docker/cli v23.0.1 * vendor: github.com/docker/docker v23.0.1 * client: create oci-layout file in StoreIndex * ci: output annotations for failures * test: set mod vendor * test: use gotestsum to generate reports * fix gateway exec tty cleanup on context.Canceled * fix process termination handling for runc exec * Register builds before recording build history * docs(dockerfile): minimal Dockerfile version support for chmod * Update builder.md to document newly supported --chmod features in both ADD and COPY statements. * use bklog.G(ctx) instead of logrus directly * integration: missing mergeDiff compat check * chore: `translateLegacySolveRequest` does not need to return error checking. * integration: split feature compat check for subtests * integration: missing feature compat check for cache * dockerfile: fix reproducible digest test for non-amd64 * integration: add FeatureMergeDiff compat * integration: add FeatureCacheBackend* compat * integration: enforce features compat through env vars * ci: upstream docs conformance validation * dockerfile(docs): fix liquid syntax * Problem: can't use anonymous S3 credentials * hack: remove build_ci_first_pass script * hack: binaries and cross bake targets * go.mod: update to go 1.20 * Dockerfile: CONTAINERD_VERSION=v1.7.0 * go.mod: github.com/containerd/containerd v1.7.0 * Add Namespace to list of buildkit users. * remove buildinfo * buildinfo: add BUILDKIT_BUILDINFO build arg * buildinfo: mark as deprecated * docs: deprecated features page * rootless: guide for Bottlerocket OS (`sysctl -w user.max_user_namespaces=N`) * rootless: fix up unprivileged mount opts * Dockerfile: CONTAINERD_VERSION=v1.7.0-rc.3, CONTAINERD_ALT_VERSION_16=v1.6.19 * go.mod: github.com/containerd/containerd v1.7.0-rc.3 * version: add "v" prefix to version for tagging convention consistency * remove context name validation from kubepod connhelper * gateway: add hostname option to NewContainer API * fix error message typo * provenance: ensure URLs are redacted before written * test/client: Close buildkit client * docs: missing security policy markdown file * diffapply: do chown before xattrs * Add test for merge of files with capabilities. * fix a possible panic on cache * Update cmd/buildkitd/main_windows.go * ci(validate): use bake * hack: shfmt bake target * hack: generated-files bake target * hack: doctoc bake target * hack: lint bake target * hack: authors Dockerfile and bake target * hack: bake definition with vendor targets * Fix buildkitd panic when frontend input is nil. * ci: trigger workflows on push to release branches * build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 * ci: create GitHub Release for frontend as well * ci: make release depends on image job * lint: fix issues with go 1.20 * remove deprecated golangci-lint linters * update golangci-lint to v1.51.1 * update to go 1.20 * Allow DefinitionOp to track sources * specify a `ResponseHeaderTimeout` value * Ensures that the primary GID is also included in the additional GIDs * ci: fix missing TESTFLAGS env var in test-os workflow * Dockerfile: update containerd to v1.7.0-beta.4, v1.6.18 * go.mod: github.com/containerd/containerd v1.7.0-beta.4 * ci: update softprops/action-gh-release to v0.1.15 * ci: remove unused vars in dockerd workflow * ci: split cross job * Dockerfile: remove binaries-linux-helper stage * ci: rename unclear env vars * readme: fix and update badges * ci: rename build workflow to buildkit * ci: reusable test workflow * ci: move test-os to a dedicated workflow * ci: move frontend integration tests and build to a dedicated workflow * stargz-snapshotter: graduate from experimental * Bump up stargz-snapshotter to v0.14.1 * set osversion in index descriptor from base image * progress: solve status description * ci: update buildx to latest * Dockerfile: update xx to 1.2.1 * integration: make sure registry directory exists * gha: avoid range requests with too big offset * ci: merge test-nydus job in test one * ci: remove branch restriction on pull request event * client: add tests for layerID in comment field * exporter: fix sbom supplement core detection * exporter: fix supplement sboms on empty scratch layer * exporter: fix file layer finder whiteout detection * exporter: canonicalize sbom file paths during search * Add platform tracing socket paths and mounts * integration: log dockerd cmd * integration: set custom flags for dockerd worker * remotecache: proper exporter naming for gha, s3 and azblob * remotecache: explicit names for registry and local * exporter: use compression.ParseAttributes func * remotecache: mutualize compression parsing attrs * lex: add support for optional colon in variable expansion * test: rework TestProcessWithMatches to use a matrix * dockerfile: update to use dockerui pkg * dockerui: separate docker frontend params to reusable package * cache: add fallback for snapshotID * exporter: remove wrappers for oci data types * vendor: github.com/docker/cli v23.0.0 * vendor: github.com/docker/docker v23.0.0 * hack: do not cache some stages on release * hack: do not set attest flags when exporting to docker * git: override the locale to ensure consistent output * fix support for empty git ref with subdir * gitutil: use subtests * source: more tests cases for git identifier * source: use subtests cases for git identifier * otel: bump dependencies to v1.11.2/v0.37.0 * hack: treat unset variables as an error * frontend: fix typo in release script * ci: create matrix for building frontend image * inline cache: fix blob indexes by uncompressed digest * Skip configuring cache exporter if it is nil. * docs: update syntax for labs channel in examples * integration: remove wrong compat condition * integration: fix compat check for CNI DNS test * cache: don’t link blobonly based on chainid * do not mount secrets that are optional and missing from solve opts * SOURCE_DATE_EPOCH: drop timezone * sbom: create tmp directory for scanner image * progress: keep color enabled with NO_COLOR empty * hack: remove azblob_test * integration: basic azblob cache test * test: add proxy build args when existed * vendor: github.com/docker/cli v23.0.0-rc.3 * vendor: github.com/docker/docker v23.0.0-rc.3 * vendor: golang.org/x/net v0.5.0 * vendor: golang.org/x/text v0.6.0 * vendor: golang.org/x/sys v0.4.0 * Dockerfile: CNI plugins v1.2.0 * Dockerfile: CONTAINERD_VERSION=v1.7.0-beta.3, CONTAINERD_ALT_VERSION_16=v1.6.16 * Fix tracing listener on Windows * go.mod: github.com/containerd/containerd v1.7.0-beta.3 * control: send current timestamp header with event streams * vendor: update containerd to v1.6.16-0.1709cfe273d9 * buildctl: add ref-file to get history record for a build * client: make sure ref is configurable for the history API * history: save completed steps with cache stats * history: fix exporter key not being passed * history: fix logs and traces are saving on canceled builds * hack: add correct entrypoint to shell script * ci: use moby/buildkit:latest in build action * dockerfile: add testReproSourceDateEpoch * Fix cache cannot reuse lazy layers * Correct manifests_prefix documentation for S3 cache * Use golang.org/x/sys/windows instead of syscall * dockerfile: release frontend for i386 platform * Add get-user-info utility * optimize --dry-run flag * fix(tracing): spelling of OTEL_TRACES_EXPORTER value * Propagate sshforward send side connection close * buildctl: add `buildctl debug histories, buildctl prune-histories` * dockerfile: fix panic on warnings with multi-platform * vendor: github.com/docker/cli v23.0.0-rc.2 * vendor: github.com/docker/docker v23.0.0-rc.2 * vendor: github.com/containerd/containerd v1.6.15 * cache: add registry.insecure option to registry exporter * Make local cache non-lazy * docs/build-repro.md: add the SOURCE_DATE_EPOCH section * docs: clarified build argument example by changing the variable name * azblob cache: account_name attribute * docs: master -> 0.11 * ci: fix dockerd workflow with latest changes from moby * integration: set mirrors and entitlements with dockerd worker * github: update CI to buildkit version * exporter: ensure spdx order prioritizes primary sbom * hack: remove s3_test * integration: basic s3 cache test * integration: add runCmd and randomString utils * integration: expose backend logs in sandbox interface * azblob_test: pin busybox to avoid "Illegal instruction" error * docs: add nerdctl container buildkitd address docs * feat: add namespace support for nerdctl container * ci: add ci to check README toc * testutil: pin busybox and alpine used in releases * exporter: allow configuring inline attestations for image exporters * exporter: force enabling inline attestations for image export * docs: change semicolons to double ampersands * llbsolver: fix panic when requesting provenance on nil result * vendor: update fsutil to fb43384 * attestation: only supplement file data for the core scan * docs: add index page for attestations * docs: move attestation docs to dedicated directory * docs: rename slsa.md to slsa-provenance.md * docs: tidy up json examples for slsa definitions * docs: add cross-linking between slsa pages * Flakiness in azblob test job * vendor: update spdx/tools-golang to d6f58551be3f * feat: add nerdctl-container support for client * docs: slsa review updates * docs: moved slsa definitions to a separate page * docs: slsa editorial fixes * docs: add filename to provenance attestation * docs: update hermetic field after it was moved in implementation * docs: update provenance docs * docs: add slsa provenance documentation * progress: fix clean context cancelling * fix: updated_at -> updated-at * Solve panic due to concurrent access to ExportSpans * feat: allow ignoring remote cache-export error if failing * add cache stats to the build history API * vendor: github.com/docker/cli v23.0.0-rc.1 * vendor: github.com/docker/docker v23.0.0-rc.1 * vendor: github.com/containerd/containerd v1.6.14 * frontend: fix testMultiStageImplicitFrom to account for busybox changes * sshforward: skip conn close on stream CloseSend. * chore: update buildkitd.toml docs with mirror path example * feat: handle mirror url with path * provenance: fix the order of the build steps * provenance: move hermetic field into a correct struct * add possibility to override filename for provenance * Fix typo in CapExecMountBindReadWriteNoOutput. * Use SkipOutput instead of -1 for output indexes to clarify semantics. * fix indentation for in-toto and traces * attestation: forbid provenance attestations from frontend * attestation: validate attestations before unbundling as well * exporter: make attestation validation public * result: change reason types to strings * attestations: ignore spdx parse errors * attestations: propogate metadata through unbundling * gateway: add addition check to prevent content func from being forwarded * ociindex: add utility method for getting a single manifest from the index * ociindex: refactor to hide implementation internally * cache: test gha cache exporter * containerdexecutor: add network namespace callback * frontend/dockerfile: BFlags.Parse(): use strings.Cut() * frontend/dockerfile: parseExtraHosts(): use strings.Cut() * frontend/dockerfile: parseMount() use strings.Cut(), and some minor cleanup * frontend/dockerfile: move check for cache-sharing * frontend/dockerfile: provide suggestions for mount share mode * frontend/dockerfile: define types for enums * frontend/dockerfile/shell: use strings.Equalfold * frontend/dockerfile/parser: remove redundant concat * frontend/dockerfile: parseBuildStageName(): pre-compile regex * frontend/dockerfile: remove isSSHMountsSupported, isSecretMountsSupported * docs: Enable rootless for stargz-snapshotter * executor/oci: GetResolvConf(): simplify handling of resolv.conf - fix rpmlint errors * systemd units should not have execute permissions * add missing %service_add_pre for the systemd units ------------------------------------------------------------------- Tue Jan 31 17:50:32 UTC 2023 - Dirk Müller - update to 0.11.2: * Update containerd patches to fix regression in handling push errors * Multiple fixes for History API #3530 * Fix issue with parallel build requests using local cache imports #3493 * Builtin Dockerfile frontend has been updated to 1.5.1, fixing possible panic in certain warning condition #3505 * Fix possible hang when closing down the SSH forwarding socket in v0.11.0 * Fix typo in an environment variable used to configure OpenTelemetry endpoints #3508 * Builtin Dockerfile frontend has been updated to v1.5.0 https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.0 * BuildKit and compatible frontends can now produce SBOM (Software Bill of Materials) attestations for the build results to show the dependencies of the build. These attestations can be added to images and locally exported files. Using Dockerfiles, SBOM information can be configured to be produced also based on files in intermediate build stages or build context, or run processes that manually define the SBOM dependencies. When exporting an image, layer mapping is also produced that allows tracing a SBOM package to a specific build step. #3258 #3290 #3249 #2983 #3358 #3312 #3407 #3408 #3410 #3414 #3422 * BuildKit can now produce a Provenance attestation for the build result in SLSA format. Provenance attestations describe how a build was produced, and what sources/parameters were used. In addition to fields part of the SLSA specification, Buildkit's provenance also exports BuildKit-specific metadata like LLB steps with their source- and layer mapping. Provenance attestation will capture all the build sources visible to BuildKit, for example, not only the Git repository where the project's source is coming from but also the digests of all the container images used during the build. #3240 #3428 #3428 #3462 * BuildKit now supports reproducible builds by setting `SOURCE_DATE_EPOCH` build argument or `source-date-epoch` exporter attribute. This deterministic date will be used in image metadata instead of the current time. #2918 #3262 #3152 Read documentation * OCI annotations can now be set to build results exported as images or OCI layouts. Annotations can be set on both image manifests and indexes, as well as descriptors to them. #3283 #3061 #2975 #2879 Read documentation * New Build History API allows listening to events about builds starting and completing, and streaming progress of active builds. New commands `buildctl debug monitor`, `buildctl debug logs` and `buildctl debug get` have been added to use this API. Build records also keep OpenTelemetry traces, provenance attestations, and image manifests if they were created by the build. #3294 #3339 #3440 * Build results exported with image, local or tar exporters now support attestations. In addition to builtin SBOM and Provenance attestations, frontends can produce custom attestations in in-toto format #3197 #3070 #3129 #3073 #3063 #2935 #3289 #3389 #3321 #3342 #3461 Read documentation * New Source type `oci-layout://` allows builds to import images from OCI directory structure on the client side. This allows using local versions of the image. #3112 #3300 #3122 #3034 #2971 #2827 #3397 * Build requests now support sending a Source policy definition. A policy can be used to deny access to specific sources (e.g. images or URLs) or only allow access to specific image namespaces. Policies can also be used to modify sources when they are requested by the build, for example, pin a tag requested by the build to a specific digest even if it has already changed in the registry. #3332 * New remote cache backend: Azure Blob Storage #3010 * New remote cache backend: S3 #2824 #3065 * BuildKit now supports Nydus compression type #2581 * OCI exporter now supports attribute `tar=false` to export OCI layout into a directory instead of downloading a tarball. #3162 * Setting multiple cache exporters for a single build is now supported #3024 #3271 * Cache exporters can now be configured to ignore exporting errors #3430 * Remote cache import/export to client-side local files now supports tag parameter for scoping cache #3111 * CNI network namespaces are now provisioned from a pool for increased performance #3107 * New Info service has been added to control API for asking BuildKit daemon's version #2725 * Gateway API now has a new `Evaluate` method to control the lazy solve behavior #3137 * Allow mounting secrets with empty contents #3081 * New RemoveMountStubsRecursive option has been added to LLB ExecOp to control the cleanup behavior of mounts. By default, empty mount stubs are now cleaned up recursively in new frontends. #3314 * LLB Image source now allows pulling partial layer chains from image * Allow hostname to be set by network provider (K8S_POD_NAME) #3044 * Improve handling and logging of API health checks #2998 * RegistryToken auth from Docker config is now allowed as authentication input #2868 * Image exporter with containerd worker now allows skipping adding image to containerd image store with `store=false`. If not set then images stored images are now guaranteed to be unlazied and unpacked. #2800 * `buildctl` now loads Github runtime environment when using GHA remote cache #2707 * Support for `conflist` when configuring CNI networking #3029 * Platform info has been added to the build result descriptor metadata * Allow sourcemaps to link single LLB vertex to multiple source locations * Support for SSH connection helper #2843 * Empty stub paths created by mount points when build container runs are now cleaned up and do not remain in the final image. #3307 #3149 * Improve performance on BoltDB commits #3261 * Indentation of some of the image manifests has been fixed to use double spaces #3259 * Fix caching checksum error on copying files with custom UID/GID #3295 * Fix cases where copy operation left behind nondeterministic timestamps for better support for reproducible builds #3298 * Fix SSH forwarding incompatibility with OpenSSH >= 8.9 #3274 * Stargz has been updated to v0.13.0 #3280 * Embedded QEMU emulators have been updated to v7.1.0 with new patches for path handling. #3386 * Fix unpacking images with no layers #3251 * Fix possible nil pointer exception in LLB bridge #3233 #3169 #3066 * Fix cleanup of containerd tasks if a start fails #3253 * Fix handling Windows paths in content checksums #3227 * Fix possible missing newline in progress output #3072 * Fix possible early EOF on SSH forwarding #3431 * Fix possible panic in concurrent OpenTelemetry access #3058 * Previously deprecated old cache options have been removed #2982 * Daemonless script has been updated to handle already stopped process #3005 * Fix closing session if shared by multiple clients #2995 * `buildctl du` command now supports JSON formatting #2992 * Registry push errors now show additional context #2981 * Improve default description of FileOp vertexes #2932 * Make sure progress from exporting is properly keyed on parallel requests * Terminal colors are now configurable #2954 * Build errors now always print stacktraces to daemon logs in debug mode - switch packaging to zstd - include ldflags to set the version number in the binaries correctly ------------------------------------------------------------------- Wed Nov 24 09:43:06 UTC 2021 - Richard Brown - Initial Packaging