[Buildkit] Refactoring builds function to interact with buildkit sdk

[Shubhranshu153]

What is the problem you're trying to solve

Currently nerdctl forks a process to run buildctl for the builds. This creates an issue for finch-daemon to pass in credentials received as part of the API request to pass onto buildctl. One way is to write it to the docker/config.json but that is not inherently secured.

Describe the solution you'd like

Options:

1. Use buildkit sdk for the build functionalities in nerdctl.
2. Add an username, password option to buildctl to take in as argument.

@AkihiroSuda any suggestions which is a preferable option. Personally option 1 seems to be a better solution as it moves away from forking a process from the daemon along with handling the credentials. Let me know your thoughts.

Additional context

No response

[apostasie]

Last I checked, removing the shell out and baking in the buildkit SDK was a no go - #3196 Maybe we changed opinion on this though.

Happy to help if we want to go that route (I will do it anyhow on my fork).

[AkihiroSuda]

I still prefer shelling out buildctl.

Add an username, password option to buildctl to take in as argument.

This is even worse because it leaks the password in ps.

Probably the options should be passed via an FD? Or just set DOCKER_CONFIG to be a tmp dir

[fahedouch]

I still prefer shelling out buildctl.

Could you please elaborate on why you prefer shelling instead of using the SDK? In DIB, we currently shell out to the buildctl binary, but we are planning to switch to the SDK in the future. Do you have strong arguments to justify not transitioning to the SDK

[AkihiroSuda]

why

https://github.com/containerd/nerdctl/issues/3196#issuecomment-2219411792