Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bake entitlements for filesystem should be allowed automatically in action #269

Closed
tonistiigi opened this issue Nov 21, 2024 · 4 comments · Fixed by #270
Closed

Bake entitlements for filesystem should be allowed automatically in action #269

tonistiigi opened this issue Nov 21, 2024 · 4 comments · Fixed by #270

Comments

@tonistiigi
Copy link
Member

tonistiigi commented Nov 21, 2024
edited
Loading

In docker/buildx#2796 by default the filesystem access is only allowed within the working directory. I think in CI context this restriction isn't probably important and the default could be to allow fs access everywhere.

@crazy-max lmk if you prefer any more buildx changes to support this.
@crazy-max
Copy link
Member

I think in CI context this restriction isn't probably important and the default could be to allow fs access everywhere.

Yes this makes sense as runners are sandboxed on their own.

@crazy-max crazy-max mentioned this issue Nov 22, 2024
Merged
@klutchell
Copy link

This --allow fs=* flag is no longer injected for buildx versions v0.19.0 and above, and it actually breaks with buildx version v0.19.2 if the files are outside of the working directory.

bake-action/src/context.ts

Lines 86 to 89 in 1677316

if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
// allow filesystem entitlements by default
inputs.allow.push('fs=*');
} 

Buildx version
  /usr/bin/docker buildx version
  github.com/docker/buildx v0.19.2 1fc5647dc281ca3c2ad5b451aeff2dce84f1dc49
Builder info
Parsing raw definition
  /usr/bin/docker buildx bake --file /home/runner/work/_temp/docker-bake.json --file /home/runner/work/_temp/docker-actions-toolkit-h5qS9X/docker-metadata-action-bake.json --set *.platform=linux/amd64 --set *.cache-to=type=gha,mode=max,scope=balena-push-env-linux/amd64 --set *.cache-from=type=gha,scope=balena-push-env-linux/amd64 --set *.cache-from=ghcr.io/balena-os/balena-yocto-scripts:master-balena-push-env --set *.cache-from=ghcr.io/balena-os/balena-yocto-scripts:3b2fd8bd993136ce86724c0ada6f47058bd34592-balena-push-env --set *.cache-from=ghcr.io/balena-os/balena-yocto-scripts:build-3b2fd8bd993136ce86724c0ada6f47058bd34592-balena-push-env --set *.cache-from=ghcr.io/balena-os/balena-yocto-scripts:build-ryan-fix-ami-balena-push-env --set *.cache-from=ghcr.io/balena-os/balena-yocto-scripts:latest-balena-push-env --set *.cache-from= --set *.cache-from= --set *.cache-from= --load --provenance false --print balena-push-env
  #1 [internal] load local bake definitions
  #1 reading /home/runner/work/_temp/docker-bake.json 342B / 342B done
  #1 reading /home/runner/work/_temp/docker-actions-toolkit-h5qS9X/docker-metadata-action-bake.json 1.86kB / 1.86kB done
  #1 DONE 0.0s
  ERROR: EOF

@crazy-max
Copy link
Member

@klutchell Do you have a link to your repo so we can look at logs?

@klutchell
Copy link

klutchell commented Dec 13, 2024
edited
Loading

Of course, are you able to view the logs at this link?
https://github.com/balena-os/balena-yocto-scripts/actions/runs/12315520883/job/34373950689

@klutchell klutchell mentioned this issue Dec 16, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

allow filesystem entitlements by default crazy-max/docker-bake-action
3 participants
@tonistiigi @crazy-max @klutchell