Merge pull request #15 from crazy-max/default-entitlements

Allow daemon side entitlements by default
docker · Sep 5, 2020 · 54edbcd · 54edbcd
2 parents 5636be6 + 0be6f65
commit 54edbcd
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -131,7 +131,7 @@ Following inputs can be used as `step.with` keys
 | `version`          | String  | [Buildx](https://github.com/docker/buildx) version. (e.g. `v0.3.0`, `latest`) |
 | `driver`           | String  | Sets the [builder driver](https://github.com/docker/buildx#--driver-driver) to be used (default `docker-container`) |
 | `driver-opts`      | CSV     | List of additional [driver-specific options](https://github.com/docker/buildx#--driver-opt-options) |
-| `buildkitd-flags`  | String  | [Flags for buildkitd](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md) daemon |
+| `buildkitd-flags`  | String  | [Flags for buildkitd](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md) daemon (since [buildx v0.3.0](https://github.com/docker/buildx/releases/tag/v0.3.0)) |
 | `install`          | Bool    | Sets up `docker build` command as an alias to `docker buildx` (default `false`) |
 | `use`              | Bool    | Switch to this builder instance (default `true`) |
 

diff --git a/__tests__/buildx.test.ts b/__tests__/buildx.test.ts
@@ -3,26 +3,34 @@ import * as docker from '../src/docker';
 import * as buildx from '../src/buildx';
 import * as path from 'path';
 import * as os from 'os';
+import * as semver from 'semver';
+import * as exec from '@actions/exec';
 
-const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'setup-buildx-'));
+describe('getVersion', () => {
+  it('valid', async () => {
+    await exec.exec('docker', ['buildx', 'version']);
+    const version = await buildx.getVersion();
+    console.log(`version: ${version}`);
+    expect(semver.valid(version)).not.toBeNull();
+  }, 100000);
+});
 
-describe('buildx', () => {
+describe('parseVersion', () => {
+  test.each([
+    ['github.com/docker/buildx 0.4.1+azure bda4882a65349ca359216b135896bddc1d92461c', '0.4.1'],
+    ['github.com/docker/buildx v0.4.1 bda4882a65349ca359216b135896bddc1d92461c', '0.4.1'],
+    ['github.com/docker/buildx v0.4.2 fb7b670b764764dc4716df3eba07ffdae4cc47b2', '0.4.2']
+  ])('given %p', async (stdout, expected) => {
+    expect(await buildx.parseVersion(stdout)).toEqual(expected);
+  });
+});
+
+describe('platforms', () => {
   async function isDaemonRunning() {
     return await docker.isDaemonRunning();
   }
-
-  it('is available', async () => {
-    expect(await buildx.isAvailable()).toBe(true);
-  }, 100000);
-
-  it('count builders', async () => {
-    const countBuilders = await buildx.countBuilders();
-    console.log(`countBuilders: ${countBuilders}`);
-    expect(countBuilders).toBeGreaterThan(0);
-  }, 100000);
-
   (isDaemonRunning() ? it : it.skip)(
-    'platforms',
+    'valid',
     async () => {
       const platforms = buildx.platforms();
       console.log(`platforms: ${platforms}`);
@@ -31,13 +39,23 @@ describe('buildx', () => {
     },
     100000
   );
+});
+
+describe('countBuilders', () => {
+  it('valid', async () => {
+    const countBuilders = await buildx.countBuilders();
+    console.log(`countBuilders: ${countBuilders}`);
+    expect(countBuilders).toBeGreaterThan(0);
+  }, 100000);
+});
 
+describe('install', () => {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'setup-buildx-'));
   it('acquires v0.2.2 version of buildx', async () => {
     const buildxBin = await buildx.install('v0.2.2', tmpDir);
     console.log(buildxBin);
     expect(fs.existsSync(buildxBin)).toBe(true);
   }, 100000);
-
   it('acquires latest version of buildx', async () => {
     const buildxBin = await buildx.install('latest', tmpDir);
     console.log(buildxBin);

diff --git a/action.yml b/action.yml
@@ -19,6 +19,7 @@ inputs:
     required: false
   buildkitd-flags:
     description: 'Flags for buildkitd daemon'
+    default: '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host'
     required: false
   install:
     description: 'Sets up docker build command as an alias to docker buildx'

diff --git a/dist/index.js b/dist/index.js
diff --git a/src/buildx.ts b/src/buildx.ts
@@ -8,6 +8,23 @@ import * as github from './github';
 import * as core from '@actions/core';
 import * as tc from '@actions/tool-cache';
 
+export async function getVersion(): Promise<string> {
+  return await exec.exec(`docker`, ['buildx', 'version'], true).then(res => {
+    if (res.stderr != '' && !res.success) {
+      throw new Error(res.stderr);
+    }
+    return parseVersion(res.stdout);
+  });
+}
+
+export async function parseVersion(stdout: string): Promise<string> {
+  const matches = /\sv?([0-9.]+)/.exec(stdout);
+  if (!matches) {
+    throw new Error(`Cannot parse Buildx version`);
+  }
+  return semver.clean(matches[1]);
+}
+
 export async function isAvailable(): Promise<Boolean> {
   return await exec.exec(`docker`, ['buildx'], true).then(res => {
     if (res.stderr != '' && !res.success) {

diff --git a/src/context.ts b/src/context.ts
@@ -17,7 +17,9 @@ export async function getInputs(): Promise<Inputs> {
     version: core.getInput('version'),
     driver: core.getInput('driver') || 'docker-container',
     driverOpts: await getInputList('driver-opts', true),
-    buildkitdFlags: core.getInput('buildkitd-flags'),
+    buildkitdFlags:
+      core.getInput('buildkitd-flags') ||
+      '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host',
     install: /true/i.test(core.getInput('install')),
     use: /true/i.test(core.getInput('use'))
   };

diff --git a/src/main.ts b/src/main.ts
@@ -2,6 +2,7 @@ import * as core from '@actions/core';
 import * as exec from '@actions/exec';
 import * as os from 'os';
 import * as path from 'path';
+import * as semver from 'semver';
 import * as buildx from './buildx';
 import * as context from './context';
 import * as mexec from './exec';
@@ -21,8 +22,8 @@ async function run(): Promise<void> {
       await buildx.install(inputs.version || 'latest', dockerConfigHome);
     }
 
-    core.info('📣 Buildx info');
-    await exec.exec('docker', ['buildx', 'version']);
+    const buildxVersion = await buildx.getVersion();
+    core.info(`📣 Buildx version: ${buildxVersion}`);
 
     const builderName: string =
       inputs.driver == 'docker' ? 'default' : `builder-${process.env.GITHUB_JOB}-${(await buildx.countBuilders()) + 1}`;
@@ -35,7 +36,7 @@ async function run(): Promise<void> {
       await context.asyncForEach(inputs.driverOpts, async driverOpt => {
         createArgs.push('--driver-opt', driverOpt);
       });
-      if (inputs.buildkitdFlags) {
+      if (inputs.buildkitdFlags && semver.satisfies(buildxVersion, '>=0.3.0')) {
         createArgs.push('--buildkitd-flags', inputs.buildkitdFlags);
       }
       if (inputs.use) {