Skip to content

Instantly share code, notes, and snippets.

@kunalkushwaha

kunalkushwaha/buildkit-entitlement-test.go

Created April 19, 2019 07:08
Show Gist options
  • Save kunalkushwaha/775b063671a62f968ff111d266764d04 to your computer and use it in GitHub Desktop.
Save kunalkushwaha/775b063671a62f968ff111d266764d04 to your computer and use it in GitHub Desktop.
Download ZIP
Example to used buildkit entitlements with LLB
Raw
buildkit-entitlement-test.go
package main
import (
"context"
"fmt"
"github.com/moby/buildkit/client"
"github.com/moby/buildkit/client/llb"
"github.com/moby/buildkit/util/entitlements"
)
func main() {
c, err := client.New(context.TODO(), "unix:///run/buildkit/buildkitd.sock")
if err != nil {
panic(err)
}
defer c.Close()
r, err := c.ListWorkers(context.TODO())
if err != nil {
panic(err)
}
fmt.Println(r)
st := llb.Image("busybox:latest").
Run(llb.Shlex(`sh -c 'cat /proc/self/status | grep CapEff | grep "00000000a80425fb"'`))
def, err := st.Marshal()
if err != nil {
panic(err)
}
allowedEntitlements := []entitlements.Entitlement{}
_, err = c.Solve(context.TODO(), def, client.SolveOpt{
AllowedEntitlements: allowedEntitlements,
}, nil)
if err != nil {
panic(err)
}
fmt.Println("confined profile works fine...")
st2 := llb.Image("busybox:latest").
Run(llb.Shlex(`sh -c 'cat /proc/self/status | grep CapEff | grep "0000003fffffffff"'`), llb.Security(llb.SecurityModeInsecure))
def, err = st2.Marshal()
if err != nil {
panic(err)
}
allowedEntitlements = []entitlements.Entitlement{entitlements.EntitlementSecurityInsecure}
_, err = c.Solve(context.Background(), def, client.SolveOpt{
AllowedEntitlements: allowedEntitlements,
}, nil)
if err != nil {
panic(err)
}
fmt.Println("unconfined profile works fine...")
}
@kunalkushwaha
Copy link
Author

To test above example.

run buildkit daemon with --allow-insecure-entitlement security.insecure

$ sudo buildkitd --allow-insecure-entitlement security.insecure
INFO[0000] found worker "xufvn49jztgx38k4kx65qz2gx", labels=map[org.mobyproject.buildkit.worker.executor:oci org.mobyproject.buildkit.worker.hostname:kunal-HP-dev org.mobyproject.buildkit.worker.snapshotter:overlayfs], platforms=[linux/amd64] 
INFO[0000] found worker "yb8qi650mo2xivq71z7gu7yta", labels=map[org.mobyproject.buildkit.worker.executor:containerd org.mobyproject.buildkit.worker.hostname:kunal-HP-dev org.mobyproject.buildkit.worker.snapshotter:overlayfs], platforms=[linux/amd64] 
INFO[0000] found 2 workers, default="xufvn49jztgx38k4kx65qz2gx" 
WARN[0000] currently, only the default worker can be used. 
INFO[0000] running server on /run/buildkit/buildkitd.sock

run test program

$ sudo go run mytest.go 
[0xc000370280 0xc0003702d0]
confined profile works fine...
unconfined profile works fine...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment