Danish Prakash
29ac75d026
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=461
99 lines
4.5 KiB
Diff
99 lines
4.5 KiB
Diff
From 77df1215a7951471696f85397a569920a6c60dbe Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <cyphar@cyphar.com>
|
|
Date: Fri, 15 Aug 2025 19:55:53 +1000
|
|
Subject: [PATCH 2/2] SECRETS: SUSE: default to DOCKER_BUILDKIT=0 for "docker
|
|
build"
|
|
|
|
For systems with SUSEConnect auto-injection enabled, docker-buildx does
|
|
not include our injected secrets. For SLE15 and earlier, enabling
|
|
"docker build" to auto-switch to "docker buildx build" would thus break
|
|
existing users of the feature.
|
|
|
|
So, make DOCKER_BUILDKIT=0 the default. Users can still opt-in to using
|
|
BuildKit with DOCKER_BUILDKIT=1 or using subcommands like "docker bake"
|
|
or "docker buildx $foo", but existing users won't be broken by the
|
|
change.
|
|
|
|
Users that do switch BuildKit can inject SCC credentials in a far more
|
|
deliberate (and thus more secure) manner by using
|
|
|
|
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
|
|
|
|
in their Dockerfiles, and then using
|
|
|
|
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
|
|
|
|
for their builds.
|
|
|
|
SUSE-Bug: https://jira.suse.com/browse/PED-12534
|
|
SUSE-Bug: https://jira.suse.com/browse/PED-8905
|
|
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1247594
|
|
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|
---
|
|
cmd/docker/builder.go | 28 +++++++++++++++++++++++-----
|
|
1 file changed, 23 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go
|
|
index 3fc465f86..60f2a8e9a 100644
|
|
--- a/cmd/docker/builder.go
|
|
+++ b/cmd/docker/builder.go
|
|
@@ -23,9 +23,19 @@
|
|
Install the docker-buildx package to build images with BuildKit:
|
|
https://docs.docker.com/go/buildx/`
|
|
|
|
- buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
|
|
- BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
|
|
- environment-variable.`
|
|
+ buildkitDisabledWarning = `INFORMATION: This version of Docker has been patched by SUSE.
|
|
+ These patches allow for automatic access to the host SUSE subscription
|
|
+ inside containers, allowing for customers to create derived images with
|
|
+ "docker build" using SUSE packages. However, this feature is
|
|
+ incompatible with BuildKit and so "docker build" will use the legacy
|
|
+ builder by default. In order to disable this message and continue using
|
|
+ the legacy builder, set the DOCKER_BUILDKIT=0 environment-variable.
|
|
+
|
|
+ In order to opt-in to using BuildKit, set the DOCKER_BUILDKIT=1
|
|
+ environment-variable. See the SUSE Linux Enterprise Server 15
|
|
+ documentation for information on how to switch to BuildKit while still
|
|
+ maintaining access to SCC credentials. In order to use BuildKit, you
|
|
+ must have the docker-buildx package installed.`
|
|
|
|
buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken.
|
|
Install the docker-buildx package to build images with BuildKit:
|
|
@@ -48,7 +58,7 @@ func newBuilderError(errorMsg string, pluginLoadErr error) error {
|
|
|
|
//nolint:gocyclo
|
|
func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []string) ([]string, []string, []string, error) {
|
|
- var buildKitDisabled, useBuilder, useAlias bool
|
|
+ var buildKitDisabled, showDisabledWarning, useBuilder, useAlias bool
|
|
var envs []string
|
|
|
|
// check DOCKER_BUILDKIT env var is not empty
|
|
@@ -63,6 +73,14 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
|
|
} else {
|
|
useBuilder = true
|
|
}
|
|
+ } else {
|
|
+ // SUSE: Disable automatic usage of docker-buildx if unspecified (for
|
|
+ // pre-SLE16) to maintain support for SUSEConnect auto-injection. If a
|
|
+ // user specifies DOCKER_BUILDKIT=1 manually, that's up to them.
|
|
+ buildKitDisabled = true
|
|
+ // Only show the disabled "warning" when the user hasn't explicitly
|
|
+ // opted into DOCKER_BUILDKIT=0.
|
|
+ showDisabledWarning = true
|
|
}
|
|
// docker bake always requires buildkit; ignore "DOCKER_BUILDKIT=0".
|
|
if buildKitDisabled && len(args) > 0 && args[0] == "bake" {
|
|
@@ -102,7 +120,7 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
|
|
// is deprecated. For Windows / WCOW, BuildKit is still experimental,
|
|
// so we don't print this warning, even if the daemon advertised that
|
|
// it supports BuildKit.
|
|
- if dockerCli.ServerInfo().OSType != "windows" {
|
|
+ if showDisabledWarning && dockerCli.ServerInfo().OSType != "windows" {
|
|
_, _ = fmt.Fprintf(dockerCli.Err(), "%s\n\n", buildkitDisabledWarning)
|
|
}
|
|
return args, osargs, nil, nil
|
|
--
|
|
2.52.0
|
|
|