imagebuilder
imagebuilder copied to clipboard
openshift
Add support for RUN --network=none --security=insecure
Docker now supports --network and --security option on the RUN line in Dockerfiles, this PR adds support for both.
Signed-off-by: Daniel J Walsh [email protected]
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: rhatdan
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [rhatdan]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
@rhatdan: all tests passed!
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
The dockerclient implementation needs to complain about features it doesn't support.
dockerclient.ClientExecutor.Run(). Places where we've neglected this before produced #187, which was a bad experience for users who run the imagebuilder binary.
@flouthoc Please take this over. I am not going to have time to complete it
I would also suggest dropping --security. It's a "labs" feature in BuildKit, and not enabled there by default (compared to the current version of this PR, which makes it available all the time), and we don't have an identified use case for it. What's the benefit to imagebuilder?
The only use case would be if you wanted to run a --privileged container from within a build. But I am fine with dropping it.
I'm taking over this PR and will create two different PR for RUN --network and RUN --security
I would again suggest dropping
--security.
@nalind Ackd dropping this for now.
What are the use case and argument for overriding the specified or default value of the --network CLI setting from inside of a Dockerfile? BuildKit at least requires that the user decide to allow these things at build-time, and I don't see any such precaution in here.
What are the use case and argument for overriding the specified or default value of the
--networkCLI setting from inside of a Dockerfile? BuildKit at least requires that the user decide to allow these things at build-time, and I don't see any such precaution in here.
I haven't check the current PR's implementation yet but I'd assume that RUN --network should only override for a specific RUN invocation and not for the entire build. So for instance a build can be invoked with CLI --network=host but certain RUN instructions can be isolated with RUN --network=none <some task>
Maybe something like: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/reference.md#example-isolating-external-effects
When I originally looked at this, it looked like imagebuilder and buildah were setup to allow the override on a per RUN bases.
I guess if you were overly cautious you might have
RUN dnf -y update ... RUN --network=none /run/local/script