e3d93058fd
This hack was added in an attempt to continue supporting the experimental (non-buildkit) `--platform` option, by dynamically updating the API version required if buildkit isn't enabled. This hack didn't work, however, because at the moment the override is added, the command is not yet attached to the "root" (`docker`) command, and because of that, the command itself is the `root` command; `cmd.Root()` returned the `build` command. As a result, validation steps defined as `PersistentPreRunE` on the root command were not executed, causing invalid flags/options to not producing an error. Attempts to use an alternative approach (for example, cobra supports both a `PersistentPreRun` and `PersistentPreRunE`) did not work either, because `PersistentPreRunE` takes precedence over `PersistentPreRun`, and only one will be executed. Now that `--platform` should be supported for other cases than just for experimental (LCOW), let's remove the 'experimental' check, and just assume it's supported for API v1.32 and up. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
667 lines
23 KiB
Go
667 lines
23 KiB
Go
package image
|
|
|
|
import (
|
|
"archive/tar"
|
|
"bufio"
|
|
"bytes"
|
|
"context"
|
|
"encoding/csv"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"regexp"
|
|
"runtime"
|
|
"strings"
|
|
|
|
"github.com/docker/cli/cli"
|
|
"github.com/docker/cli/cli/command"
|
|
"github.com/docker/cli/cli/command/image/build"
|
|
"github.com/docker/cli/opts"
|
|
"github.com/docker/distribution/reference"
|
|
"github.com/docker/docker/api"
|
|
"github.com/docker/docker/api/types"
|
|
"github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/pkg/archive"
|
|
"github.com/docker/docker/pkg/idtools"
|
|
"github.com/docker/docker/pkg/jsonmessage"
|
|
"github.com/docker/docker/pkg/progress"
|
|
"github.com/docker/docker/pkg/streamformatter"
|
|
"github.com/docker/docker/pkg/urlutil"
|
|
units "github.com/docker/go-units"
|
|
"github.com/pkg/errors"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
var errStdinConflict = errors.New("invalid argument: can't use stdin for both build context and dockerfile")
|
|
|
|
type buildOptions struct {
|
|
context string
|
|
dockerfileName string
|
|
tags opts.ListOpts
|
|
labels opts.ListOpts
|
|
buildArgs opts.ListOpts
|
|
extraHosts opts.ListOpts
|
|
ulimits *opts.UlimitOpt
|
|
memory opts.MemBytes
|
|
memorySwap opts.MemSwapBytes
|
|
shmSize opts.MemBytes
|
|
cpuShares int64
|
|
cpuPeriod int64
|
|
cpuQuota int64
|
|
cpuSetCpus string
|
|
cpuSetMems string
|
|
cgroupParent string
|
|
isolation string
|
|
quiet bool
|
|
noCache bool
|
|
progress string
|
|
rm bool
|
|
forceRm bool
|
|
pull bool
|
|
cacheFrom []string
|
|
compress bool
|
|
securityOpt []string
|
|
networkMode string
|
|
squash bool
|
|
target string
|
|
imageIDFile string
|
|
stream bool
|
|
platform string
|
|
untrusted bool
|
|
secrets []string
|
|
ssh []string
|
|
outputs []string
|
|
}
|
|
|
|
// dockerfileFromStdin returns true when the user specified that the Dockerfile
|
|
// should be read from stdin instead of a file
|
|
func (o buildOptions) dockerfileFromStdin() bool {
|
|
return o.dockerfileName == "-"
|
|
}
|
|
|
|
// contextFromStdin returns true when the user specified that the build context
|
|
// should be read from stdin
|
|
func (o buildOptions) contextFromStdin() bool {
|
|
return o.context == "-"
|
|
}
|
|
|
|
func newBuildOptions() buildOptions {
|
|
ulimits := make(map[string]*units.Ulimit)
|
|
return buildOptions{
|
|
tags: opts.NewListOpts(validateTag),
|
|
buildArgs: opts.NewListOpts(opts.ValidateEnv),
|
|
ulimits: opts.NewUlimitOpt(&ulimits),
|
|
labels: opts.NewListOpts(opts.ValidateLabel),
|
|
extraHosts: opts.NewListOpts(opts.ValidateExtraHost),
|
|
}
|
|
}
|
|
|
|
// NewBuildCommand creates a new `docker build` command
|
|
func NewBuildCommand(dockerCli command.Cli) *cobra.Command {
|
|
options := newBuildOptions()
|
|
|
|
cmd := &cobra.Command{
|
|
Use: "build [OPTIONS] PATH | URL | -",
|
|
Short: "Build an image from a Dockerfile",
|
|
Args: cli.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
options.context = args[0]
|
|
return runBuild(dockerCli, options)
|
|
},
|
|
}
|
|
|
|
flags := cmd.Flags()
|
|
|
|
flags.VarP(&options.tags, "tag", "t", "Name and optionally a tag in the 'name:tag' format")
|
|
flags.Var(&options.buildArgs, "build-arg", "Set build-time variables")
|
|
flags.Var(options.ulimits, "ulimit", "Ulimit options")
|
|
flags.SetAnnotation("ulimit", "no-buildkit", nil)
|
|
flags.StringVarP(&options.dockerfileName, "file", "f", "", "Name of the Dockerfile (Default is 'PATH/Dockerfile')")
|
|
flags.VarP(&options.memory, "memory", "m", "Memory limit")
|
|
flags.SetAnnotation("memory", "no-buildkit", nil)
|
|
flags.Var(&options.memorySwap, "memory-swap", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
|
|
flags.SetAnnotation("memory-swap", "no-buildkit", nil)
|
|
flags.Var(&options.shmSize, "shm-size", "Size of /dev/shm")
|
|
flags.SetAnnotation("shm-size", "no-buildkit", nil)
|
|
flags.Int64VarP(&options.cpuShares, "cpu-shares", "c", 0, "CPU shares (relative weight)")
|
|
flags.SetAnnotation("cpu-shares", "no-buildkit", nil)
|
|
flags.Int64Var(&options.cpuPeriod, "cpu-period", 0, "Limit the CPU CFS (Completely Fair Scheduler) period")
|
|
flags.SetAnnotation("cpu-period", "no-buildkit", nil)
|
|
flags.Int64Var(&options.cpuQuota, "cpu-quota", 0, "Limit the CPU CFS (Completely Fair Scheduler) quota")
|
|
flags.SetAnnotation("cpu-quota", "no-buildkit", nil)
|
|
flags.StringVar(&options.cpuSetCpus, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
|
|
flags.SetAnnotation("cpuset-cpus", "no-buildkit", nil)
|
|
flags.StringVar(&options.cpuSetMems, "cpuset-mems", "", "MEMs in which to allow execution (0-3, 0,1)")
|
|
flags.SetAnnotation("cpuset-mems", "no-buildkit", nil)
|
|
flags.StringVar(&options.cgroupParent, "cgroup-parent", "", "Optional parent cgroup for the container")
|
|
flags.SetAnnotation("cgroup-parent", "no-buildkit", nil)
|
|
flags.StringVar(&options.isolation, "isolation", "", "Container isolation technology")
|
|
flags.Var(&options.labels, "label", "Set metadata for an image")
|
|
flags.BoolVar(&options.noCache, "no-cache", false, "Do not use cache when building the image")
|
|
flags.BoolVar(&options.rm, "rm", true, "Remove intermediate containers after a successful build")
|
|
flags.SetAnnotation("rm", "no-buildkit", nil)
|
|
flags.BoolVar(&options.forceRm, "force-rm", false, "Always remove intermediate containers")
|
|
flags.SetAnnotation("force-rm", "no-buildkit", nil)
|
|
flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
|
|
flags.BoolVar(&options.pull, "pull", false, "Always attempt to pull a newer version of the image")
|
|
flags.StringSliceVar(&options.cacheFrom, "cache-from", []string{}, "Images to consider as cache sources")
|
|
flags.BoolVar(&options.compress, "compress", false, "Compress the build context using gzip")
|
|
flags.SetAnnotation("compress", "no-buildkit", nil)
|
|
flags.StringSliceVar(&options.securityOpt, "security-opt", []string{}, "Security options")
|
|
flags.SetAnnotation("security-opt", "no-buildkit", nil)
|
|
flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")
|
|
flags.SetAnnotation("network", "version", []string{"1.25"})
|
|
flags.Var(&options.extraHosts, "add-host", "Add a custom host-to-IP mapping (host:ip)")
|
|
flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
|
|
flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
|
|
|
|
command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
|
|
|
|
flags.StringVar(&options.platform, "platform", os.Getenv("DOCKER_DEFAULT_PLATFORM"), "Set platform if server is multi-platform capable")
|
|
flags.SetAnnotation("platform", "version", []string{"1.38"})
|
|
flags.SetAnnotation("platform", "buildkit", nil)
|
|
|
|
flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
|
|
flags.SetAnnotation("squash", "experimental", nil)
|
|
flags.SetAnnotation("squash", "version", []string{"1.25"})
|
|
|
|
flags.BoolVar(&options.stream, "stream", false, "Stream attaches to server to negotiate build context")
|
|
flags.MarkHidden("stream")
|
|
|
|
flags.StringVar(&options.progress, "progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
|
|
flags.SetAnnotation("progress", "buildkit", nil)
|
|
|
|
flags.StringArrayVar(&options.secrets, "secret", []string{}, "Secret file to expose to the build (only if BuildKit enabled): id=mysecret,src=/local/secret")
|
|
flags.SetAnnotation("secret", "version", []string{"1.39"})
|
|
flags.SetAnnotation("secret", "buildkit", nil)
|
|
|
|
flags.StringArrayVar(&options.ssh, "ssh", []string{}, "SSH agent socket or keys to expose to the build (only if BuildKit enabled) (format: default|<id>[=<socket>|<key>[,<key>]])")
|
|
flags.SetAnnotation("ssh", "version", []string{"1.39"})
|
|
flags.SetAnnotation("ssh", "buildkit", nil)
|
|
|
|
flags.StringArrayVarP(&options.outputs, "output", "o", []string{}, "Output destination (format: type=local,dest=path)")
|
|
flags.SetAnnotation("output", "version", []string{"1.40"})
|
|
flags.SetAnnotation("output", "buildkit", nil)
|
|
|
|
return cmd
|
|
}
|
|
|
|
// lastProgressOutput is the same as progress.Output except
|
|
// that it only output with the last update. It is used in
|
|
// non terminal scenarios to suppress verbose messages
|
|
type lastProgressOutput struct {
|
|
output progress.Output
|
|
}
|
|
|
|
// WriteProgress formats progress information from a ProgressReader.
|
|
func (out *lastProgressOutput) WriteProgress(prog progress.Progress) error {
|
|
if !prog.LastUpdate {
|
|
return nil
|
|
}
|
|
|
|
return out.output.WriteProgress(prog)
|
|
}
|
|
|
|
// nolint: gocyclo
|
|
func runBuild(dockerCli command.Cli, options buildOptions) error {
|
|
buildkitEnabled, err := command.BuildKitEnabled(dockerCli.ServerInfo())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if buildkitEnabled {
|
|
return runBuildBuildKit(dockerCli, options)
|
|
}
|
|
|
|
var (
|
|
buildCtx io.ReadCloser
|
|
dockerfileCtx io.ReadCloser
|
|
contextDir string
|
|
tempDir string
|
|
relDockerfile string
|
|
progBuff io.Writer
|
|
buildBuff io.Writer
|
|
remote string
|
|
)
|
|
|
|
if options.stream {
|
|
_, _ = fmt.Fprint(dockerCli.Err(), `DEPRECATED: The experimental --stream flag has been removed and the build context
|
|
will be sent non-streaming. Enable BuildKit instead with DOCKER_BUILDKIT=1
|
|
to stream build context, see https://docs.docker.com/go/buildkit/
|
|
|
|
`)
|
|
}
|
|
|
|
if options.dockerfileFromStdin() {
|
|
if options.contextFromStdin() {
|
|
return errStdinConflict
|
|
}
|
|
dockerfileCtx = dockerCli.In()
|
|
}
|
|
|
|
specifiedContext := options.context
|
|
progBuff = dockerCli.Out()
|
|
buildBuff = dockerCli.Out()
|
|
if options.quiet {
|
|
progBuff = bytes.NewBuffer(nil)
|
|
buildBuff = bytes.NewBuffer(nil)
|
|
}
|
|
if options.imageIDFile != "" {
|
|
// Avoid leaving a stale file if we eventually fail
|
|
if err := os.Remove(options.imageIDFile); err != nil && !os.IsNotExist(err) {
|
|
return errors.Wrap(err, "Removing image ID file")
|
|
}
|
|
}
|
|
|
|
switch {
|
|
case options.contextFromStdin():
|
|
// buildCtx is tar archive. if stdin was dockerfile then it is wrapped
|
|
buildCtx, relDockerfile, err = build.GetContextFromReader(dockerCli.In(), options.dockerfileName)
|
|
case isLocalDir(specifiedContext):
|
|
contextDir, relDockerfile, err = build.GetContextFromLocalDir(specifiedContext, options.dockerfileName)
|
|
if err == nil && strings.HasPrefix(relDockerfile, ".."+string(filepath.Separator)) {
|
|
// Dockerfile is outside of build-context; read the Dockerfile and pass it as dockerfileCtx
|
|
dockerfileCtx, err = os.Open(options.dockerfileName)
|
|
if err != nil {
|
|
return errors.Errorf("unable to open Dockerfile: %v", err)
|
|
}
|
|
defer dockerfileCtx.Close()
|
|
}
|
|
case urlutil.IsGitURL(specifiedContext):
|
|
tempDir, relDockerfile, err = build.GetContextFromGitURL(specifiedContext, options.dockerfileName)
|
|
case urlutil.IsURL(specifiedContext):
|
|
buildCtx, relDockerfile, err = build.GetContextFromURL(progBuff, specifiedContext, options.dockerfileName)
|
|
default:
|
|
return errors.Errorf("unable to prepare context: path %q not found", specifiedContext)
|
|
}
|
|
|
|
if err != nil {
|
|
if options.quiet && urlutil.IsURL(specifiedContext) {
|
|
fmt.Fprintln(dockerCli.Err(), progBuff)
|
|
}
|
|
return errors.Errorf("unable to prepare context: %s", err)
|
|
}
|
|
|
|
if tempDir != "" {
|
|
defer os.RemoveAll(tempDir)
|
|
contextDir = tempDir
|
|
}
|
|
|
|
// read from a directory into tar archive
|
|
if buildCtx == nil {
|
|
excludes, err := build.ReadDockerignore(contextDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := build.ValidateContextDirectory(contextDir, excludes); err != nil {
|
|
return errors.Errorf("error checking context: '%s'.", err)
|
|
}
|
|
|
|
// And canonicalize dockerfile name to a platform-independent one
|
|
relDockerfile = archive.CanonicalTarNameForPath(relDockerfile)
|
|
|
|
excludes = build.TrimBuildFilesFromExcludes(excludes, relDockerfile, options.dockerfileFromStdin())
|
|
buildCtx, err = archive.TarWithOptions(contextDir, &archive.TarOptions{
|
|
ExcludePatterns: excludes,
|
|
ChownOpts: &idtools.Identity{UID: 0, GID: 0},
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// replace Dockerfile if it was added from stdin or a file outside the build-context, and there is archive context
|
|
if dockerfileCtx != nil && buildCtx != nil {
|
|
buildCtx, relDockerfile, err = build.AddDockerfileToBuildContext(dockerfileCtx, buildCtx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
var resolvedTags []*resolvedTag
|
|
if !options.untrusted {
|
|
translator := func(ctx context.Context, ref reference.NamedTagged) (reference.Canonical, error) {
|
|
return TrustedReference(ctx, dockerCli, ref, nil)
|
|
}
|
|
// if there is a tar wrapper, the dockerfile needs to be replaced inside it
|
|
if buildCtx != nil {
|
|
// Wrap the tar archive to replace the Dockerfile entry with the rewritten
|
|
// Dockerfile which uses trusted pulls.
|
|
buildCtx = replaceDockerfileForContentTrust(ctx, buildCtx, relDockerfile, translator, &resolvedTags)
|
|
} else if dockerfileCtx != nil {
|
|
// if there was not archive context still do the possible replacements in Dockerfile
|
|
newDockerfile, _, err := rewriteDockerfileFromForContentTrust(ctx, dockerfileCtx, translator)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
dockerfileCtx = ioutil.NopCloser(bytes.NewBuffer(newDockerfile))
|
|
}
|
|
}
|
|
|
|
if options.compress {
|
|
buildCtx, err = build.Compress(buildCtx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Setup an upload progress bar
|
|
progressOutput := streamformatter.NewProgressOutput(progBuff)
|
|
if !dockerCli.Out().IsTerminal() {
|
|
progressOutput = &lastProgressOutput{output: progressOutput}
|
|
}
|
|
|
|
// if up to this point nothing has set the context then we must have another
|
|
// way for sending it(streaming) and set the context to the Dockerfile
|
|
if dockerfileCtx != nil && buildCtx == nil {
|
|
buildCtx = dockerfileCtx
|
|
}
|
|
|
|
var body io.Reader
|
|
if buildCtx != nil {
|
|
body = progress.NewProgressReader(buildCtx, progressOutput, 0, "", "Sending build context to Docker daemon")
|
|
}
|
|
|
|
configFile := dockerCli.ConfigFile()
|
|
creds, _ := configFile.GetAllCredentials()
|
|
authConfigs := make(map[string]types.AuthConfig, len(creds))
|
|
for k, auth := range creds {
|
|
authConfigs[k] = types.AuthConfig(auth)
|
|
}
|
|
buildOptions := imageBuildOptions(dockerCli, options)
|
|
buildOptions.Version = types.BuilderV1
|
|
buildOptions.Dockerfile = relDockerfile
|
|
buildOptions.AuthConfigs = authConfigs
|
|
buildOptions.RemoteContext = remote
|
|
|
|
response, err := dockerCli.Client().ImageBuild(ctx, body, buildOptions)
|
|
if err != nil {
|
|
if options.quiet {
|
|
fmt.Fprintf(dockerCli.Err(), "%s", progBuff)
|
|
}
|
|
cancel()
|
|
return err
|
|
}
|
|
defer response.Body.Close()
|
|
|
|
imageID := ""
|
|
aux := func(msg jsonmessage.JSONMessage) {
|
|
var result types.BuildResult
|
|
if err := json.Unmarshal(*msg.Aux, &result); err != nil {
|
|
fmt.Fprintf(dockerCli.Err(), "Failed to parse aux message: %s", err)
|
|
} else {
|
|
imageID = result.ID
|
|
}
|
|
}
|
|
|
|
err = jsonmessage.DisplayJSONMessagesStream(response.Body, buildBuff, dockerCli.Out().FD(), dockerCli.Out().IsTerminal(), aux)
|
|
if err != nil {
|
|
if jerr, ok := err.(*jsonmessage.JSONError); ok {
|
|
// If no error code is set, default to 1
|
|
if jerr.Code == 0 {
|
|
jerr.Code = 1
|
|
}
|
|
if options.quiet {
|
|
fmt.Fprintf(dockerCli.Err(), "%s%s", progBuff, buildBuff)
|
|
}
|
|
return cli.StatusError{Status: jerr.Message, StatusCode: jerr.Code}
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Windows: show error message about modified file permissions if the
|
|
// daemon isn't running Windows.
|
|
if response.OSType != "windows" && runtime.GOOS == "windows" && !options.quiet {
|
|
fmt.Fprintln(dockerCli.Out(), "SECURITY WARNING: You are building a Docker "+
|
|
"image from Windows against a non-Windows Docker host. All files and "+
|
|
"directories added to build context will have '-rwxr-xr-x' permissions. "+
|
|
"It is recommended to double check and reset permissions for sensitive "+
|
|
"files and directories.")
|
|
}
|
|
|
|
// Everything worked so if -q was provided the output from the daemon
|
|
// should be just the image ID and we'll print that to stdout.
|
|
if options.quiet {
|
|
imageID = fmt.Sprintf("%s", buildBuff)
|
|
_, _ = fmt.Fprint(dockerCli.Out(), imageID)
|
|
}
|
|
|
|
if options.imageIDFile != "" {
|
|
if imageID == "" {
|
|
return errors.Errorf("Server did not provide an image ID. Cannot write %s", options.imageIDFile)
|
|
}
|
|
if err := ioutil.WriteFile(options.imageIDFile, []byte(imageID), 0666); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if !options.untrusted {
|
|
// Since the build was successful, now we must tag any of the resolved
|
|
// images from the above Dockerfile rewrite.
|
|
for _, resolved := range resolvedTags {
|
|
if err := TagTrusted(ctx, dockerCli, resolved.digestRef, resolved.tagRef); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func isLocalDir(c string) bool {
|
|
_, err := os.Stat(c)
|
|
return err == nil
|
|
}
|
|
|
|
type translatorFunc func(context.Context, reference.NamedTagged) (reference.Canonical, error)
|
|
|
|
// validateTag checks if the given image name can be resolved.
|
|
func validateTag(rawRepo string) (string, error) {
|
|
_, err := reference.ParseNormalizedNamed(rawRepo)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return rawRepo, nil
|
|
}
|
|
|
|
var dockerfileFromLinePattern = regexp.MustCompile(`(?i)^[\s]*FROM[ \f\r\t\v]+(?P<image>[^ \f\r\t\v\n#]+)`)
|
|
|
|
// resolvedTag records the repository, tag, and resolved digest reference
|
|
// from a Dockerfile rewrite.
|
|
type resolvedTag struct {
|
|
digestRef reference.Canonical
|
|
tagRef reference.NamedTagged
|
|
}
|
|
|
|
// rewriteDockerfileFromForContentTrust rewrites the given Dockerfile by resolving images in
|
|
// "FROM <image>" instructions to a digest reference. `translator` is a
|
|
// function that takes a repository name and tag reference and returns a
|
|
// trusted digest reference.
|
|
// This should be called *only* when content trust is enabled
|
|
func rewriteDockerfileFromForContentTrust(ctx context.Context, dockerfile io.Reader, translator translatorFunc) (newDockerfile []byte, resolvedTags []*resolvedTag, err error) {
|
|
scanner := bufio.NewScanner(dockerfile)
|
|
buf := bytes.NewBuffer(nil)
|
|
|
|
// Scan the lines of the Dockerfile, looking for a "FROM" line.
|
|
for scanner.Scan() {
|
|
line := scanner.Text()
|
|
|
|
matches := dockerfileFromLinePattern.FindStringSubmatch(line)
|
|
if matches != nil && matches[1] != api.NoBaseImageSpecifier {
|
|
// Replace the line with a resolved "FROM repo@digest"
|
|
var ref reference.Named
|
|
ref, err = reference.ParseNormalizedNamed(matches[1])
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
ref = reference.TagNameOnly(ref)
|
|
if ref, ok := ref.(reference.NamedTagged); ok {
|
|
trustedRef, err := translator(ctx, ref)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
line = dockerfileFromLinePattern.ReplaceAllLiteralString(line, fmt.Sprintf("FROM %s", reference.FamiliarString(trustedRef)))
|
|
resolvedTags = append(resolvedTags, &resolvedTag{
|
|
digestRef: trustedRef,
|
|
tagRef: ref,
|
|
})
|
|
}
|
|
}
|
|
|
|
_, err := fmt.Fprintln(buf, line)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
|
|
return buf.Bytes(), resolvedTags, scanner.Err()
|
|
}
|
|
|
|
// replaceDockerfileForContentTrust wraps the given input tar archive stream and
|
|
// uses the translator to replace the Dockerfile which uses a trusted reference.
|
|
// Returns a new tar archive stream with the replaced Dockerfile.
|
|
func replaceDockerfileForContentTrust(ctx context.Context, inputTarStream io.ReadCloser, dockerfileName string, translator translatorFunc, resolvedTags *[]*resolvedTag) io.ReadCloser {
|
|
pipeReader, pipeWriter := io.Pipe()
|
|
go func() {
|
|
tarReader := tar.NewReader(inputTarStream)
|
|
tarWriter := tar.NewWriter(pipeWriter)
|
|
|
|
defer inputTarStream.Close()
|
|
|
|
for {
|
|
hdr, err := tarReader.Next()
|
|
if err == io.EOF {
|
|
// Signals end of archive.
|
|
tarWriter.Close()
|
|
pipeWriter.Close()
|
|
return
|
|
}
|
|
if err != nil {
|
|
pipeWriter.CloseWithError(err)
|
|
return
|
|
}
|
|
|
|
content := io.Reader(tarReader)
|
|
if hdr.Name == dockerfileName {
|
|
// This entry is the Dockerfile. Since the tar archive was
|
|
// generated from a directory on the local filesystem, the
|
|
// Dockerfile will only appear once in the archive.
|
|
var newDockerfile []byte
|
|
newDockerfile, *resolvedTags, err = rewriteDockerfileFromForContentTrust(ctx, content, translator)
|
|
if err != nil {
|
|
pipeWriter.CloseWithError(err)
|
|
return
|
|
}
|
|
hdr.Size = int64(len(newDockerfile))
|
|
content = bytes.NewBuffer(newDockerfile)
|
|
}
|
|
|
|
if err := tarWriter.WriteHeader(hdr); err != nil {
|
|
pipeWriter.CloseWithError(err)
|
|
return
|
|
}
|
|
|
|
if _, err := io.Copy(tarWriter, content); err != nil {
|
|
pipeWriter.CloseWithError(err)
|
|
return
|
|
}
|
|
}
|
|
}()
|
|
|
|
return pipeReader
|
|
}
|
|
|
|
func imageBuildOptions(dockerCli command.Cli, options buildOptions) types.ImageBuildOptions {
|
|
configFile := dockerCli.ConfigFile()
|
|
return types.ImageBuildOptions{
|
|
Memory: options.memory.Value(),
|
|
MemorySwap: options.memorySwap.Value(),
|
|
Tags: options.tags.GetAll(),
|
|
SuppressOutput: options.quiet,
|
|
NoCache: options.noCache,
|
|
Remove: options.rm,
|
|
ForceRemove: options.forceRm,
|
|
PullParent: options.pull,
|
|
Isolation: container.Isolation(options.isolation),
|
|
CPUSetCPUs: options.cpuSetCpus,
|
|
CPUSetMems: options.cpuSetMems,
|
|
CPUShares: options.cpuShares,
|
|
CPUQuota: options.cpuQuota,
|
|
CPUPeriod: options.cpuPeriod,
|
|
CgroupParent: options.cgroupParent,
|
|
ShmSize: options.shmSize.Value(),
|
|
Ulimits: options.ulimits.GetList(),
|
|
BuildArgs: configFile.ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(options.buildArgs.GetAll())),
|
|
Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
|
|
CacheFrom: options.cacheFrom,
|
|
SecurityOpt: options.securityOpt,
|
|
NetworkMode: options.networkMode,
|
|
Squash: options.squash,
|
|
ExtraHosts: options.extraHosts.GetAll(),
|
|
Target: options.target,
|
|
Platform: options.platform,
|
|
}
|
|
}
|
|
|
|
func parseOutputs(inp []string) ([]types.ImageBuildOutput, error) {
|
|
var outs []types.ImageBuildOutput
|
|
if len(inp) == 0 {
|
|
return nil, nil
|
|
}
|
|
for _, s := range inp {
|
|
csvReader := csv.NewReader(strings.NewReader(s))
|
|
fields, err := csvReader.Read()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(fields) == 1 && fields[0] == s && !strings.HasPrefix(s, "type=") {
|
|
if s == "-" {
|
|
outs = append(outs, types.ImageBuildOutput{
|
|
Type: "tar",
|
|
Attrs: map[string]string{
|
|
"dest": s,
|
|
},
|
|
})
|
|
} else {
|
|
outs = append(outs, types.ImageBuildOutput{
|
|
Type: "local",
|
|
Attrs: map[string]string{
|
|
"dest": s,
|
|
},
|
|
})
|
|
}
|
|
continue
|
|
}
|
|
|
|
out := types.ImageBuildOutput{
|
|
Attrs: map[string]string{},
|
|
}
|
|
for _, field := range fields {
|
|
parts := strings.SplitN(field, "=", 2)
|
|
if len(parts) != 2 {
|
|
return nil, errors.Errorf("invalid value %s", field)
|
|
}
|
|
key := strings.ToLower(parts[0])
|
|
value := parts[1]
|
|
switch key {
|
|
case "type":
|
|
out.Type = value
|
|
default:
|
|
out.Attrs[key] = value
|
|
}
|
|
}
|
|
if out.Type == "" {
|
|
return nil, errors.Errorf("type is required for output")
|
|
}
|
|
outs = append(outs, out)
|
|
}
|
|
return outs, nil
|
|
}
|