containerd integration: Make build work

[thaJeztah]

Upstreaming

• Make build work rumpl/moby#28 Make build and buildx work
• Only use the image exporter in build if we don't use containerd rumpl/moby#36 Only use the image exporter in build if we don't use containerd
• let buildx know we support containerd snapshotter rumpl/moby#50 let buildx know we support containerd snapshotter
• Pass the current snapshotter to the buildkit worker rumpl/moby#52 Pass the current snapshotter to the buildkit worker
• builder-next: enable more cache backends rumpl/moby#58 builder-next: enable more cache backends
• builder-next: reenable runc executor rumpl/moby#57 builder-next: reenable runc executor
• builder: Emit image id when using image exporter rumpl/moby#125 builder: Emit image id when using image exporter
• builder: containerimage exporter with store option rumpl/moby#99
• builder: Emit image id when using image exporter rumpl/moby#125

No conflicts, except for vendoring / vendor.sum

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

I squashed a couple of commits as some of them were fix-ups in previous commits; kept the last two separate (but possibly the "runc" one should be squashed.

[thaJeztah]

@tonistiigi @rumpl PTAL (also at #44079 (comment))

[rumpl]

LGTM 👍

[thaJeztah]

Ah, dang; conflict in vendor.sum; I'll rebase

[thaJeztah]

done 👍

[thaJeztah]

Not sure I've seen this before;

[2022-09-08T15:21:21.530Z]  > [crun 1/2] RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt     --mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt         apt-get update && apt-get install -y --no-install-recommends             autoconf             automake             build-essential             libcap-dev             libprotobuf-c-dev             libseccomp-dev             libsystemd-dev             libtool             libudev-dev             libyajl-dev             python3             ;:
[2022-09-08T15:21:21.530Z] #0 1.373 runc run failed: unable to start container process: error during container init: error mounting "/var/lib/docker/buildkit/executor/resolv.conf" to rootfs at "/etc/resolv.conf": possibly malicious path detected -- refusing to operate on /var/lib/docker/buildkit/executor/qj8f5s2o4ep3euuoz99hyp7a0/rootfs/etc/resolv.conf (deleted)

[thaJeztah]

/cc @tonistiigi

[thaJeztah]

Alright; this time it passed without the weird error; looks like a race indeed?

@tonistiigi PTAL if this PR looks good to you 🙏

[crazy-max]

Alright; this time it passed without the weird error; looks like a race indeed?

@thaJeztah fyi BuildKit tests in this workflow https://github.com/moby/moby/blob/master/.github/workflows/buildkit.yml don't run with containerd snapshotter atm.

As discussed with @tonistiigi, this matrix should run both with dockerd worker and containerd integration.

Basically we should change the worker being tested to make it based on a new matrix entry and also update docker daemon config accordingly. I can do it on @rumpl fork so you can cherry pick here. LGTY?

[cpuguy83]

Code looks mostly good.
Also tested this out and it seems to work pretty well, even supports multi-platform output.

Logs are quite verbose after a build and looks like there's some transient error that occurs:

INFO[2022-11-01T21:53:03.707692329Z] [core] Subchannel Connectivity change to CONNECTING  module=grpc
INFO[2022-11-01T21:53:03.707771334Z] [core] Subchannel picks a new address "localhost" to connect  module=grpc
INFO[2022-11-01T21:53:03.707832438Z] [core] Channel Connectivity change to CONNECTING  module=grpc
WARN[2022-11-01T21:53:03.707856239Z] [core] grpc: addrConn.createTransport failed to connect to {localhost localhost <nil> <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing only one connection allowed"  module=grpc
INFO[2022-11-01T21:53:03.707904743Z] [core] Subchannel Connectivity change to TRANSIENT_FAILURE  module=grpc
INFO[2022-11-01T21:53:03.707934945Z] [core] Channel Connectivity change to TRANSIENT_FAILURE  module=grpc
ERRO[2022-11-01T21:53:03.708072154Z] healthcheck failed fatally                   
INFO[2022-11-01T21:53:03.708146258Z] [core] Channel Connectivity change to SHUTDOWN  module=grpc

Not sure if that's related to this change or just the containerd snapshotter use-case as a whole.

[thaJeztah]

was to add a new worker feature (like FeatureCacheExportS3)

Yeah, for that specific case, thinking if (ideally) exporters should have a mechanism to "register" themselves, and some way to get that list. Similar to how (e.g.) graph drivers register themselves 🤔

[vvoland]

However, I think in the end we still will need to support the s3 cache backend anyway, so adding the extra compat checks to buildkit tests is a bit wasteful work.

We already have the aws-sdk vendored it, so hopefully for now we can just vendor the s3 bits until we have a way to push these out of moby (see Brian's suggestion: #44079 (comment))

[vvoland]

Opened a vendor PR: #45095
Also included the vendor here to re-run the tests.
Thanks, I didn't consider vendoring non-released version 😅

[vvoland]

Rebased and included the s3 cache support. Now all buildkit tests should pass.
Warning: it vendors 88k lines of code (s3 related code from aws-sdk-go-v2). Do we want to squash it, or should I open a separate PR for it?

[thaJeztah]

Comparing these two, I noticed that these are not "symmetrical";

• ❓ is it expected that the inline cache is included in Exporters, but not in Importers ?
• (nit): perhaps we should sort both lists have the exporters/importers in the same order (we could just sort them alphabetically, then at least there's no bike-shedding about what order they should appear in).

[vvoland]

Sorting would definitely make sense!

Regarding inline cache - according to the buildkit's docs it embeds the cache into the image and is expected to be imported with the registry cache: https://github.com/moby/buildkit#inline-push-image-and-cache-together

[thaJeztah]

Yes, I was wondering if it was something like that 🤔 it was confusing me a bit though (we could even consider including a comment to describe that, if what you linked to is indeed the expected behaviour). /cc @crazy-max @jedevc (if you know)

[jedevc]

Yeah this is expected - they are assymetrical. Inline cache works fundamentally differently than the other types of cache though they expose the same interface (but we can import them in the same way).

[cpuguy83]

I would really prefer to keep s3/azure caching out of the main dockerd binary.

[thaJeztah]

Rebased and included the s3 cache support. Now all buildkit tests should pass.
Warning: it vendors 88k lines of code (s3 related code from aws-sdk-go-v2). Do we want to squash it, or should I open a separate PR for it?

I'm tempted to say; open as a separate PR, as there's other caching that we may want to(?) add, but IIUC, it was currently needed to make the BuildKit CI pass (as it runs some tests that expect s3 to be supported?)

For the caching, I was wondering how authentication is handled, and it looks like they use environment-variables that are supported by the SDKs. If we add support for those (guess this would be "automatically?"), at least we need to update the documentation for the daemon to mention the environment variables it may be using;

• https://docs.docker.com/build/cache/backends/s3/#authentication

  access_key_id, secret_access_key, and session_token, if left unspecified, are read from environment variables on the BuildKit server following the scheme for the AWS Go SDK. The environment variables are read from the server, not the Buildx client.

• https://docs.docker.com/build/cache/backends/gha/#authentication

  If the url or token parameters are left unspecified, the gha cache backend will fall back to using environment variables.

• https://docs.docker.com/build/cache/backends/azblob/#authentication

  The secret_access_key, if left unspecified, is read from environment variables on the BuildKit server following the scheme for the Azure Go SDK. The environment variables are read from the server, not the Buildx client.

That said, perhaps we need to look at those;

• Do we want them to automatically look at environment variables? (such env-vars may be present for other purposes; perhaps it's ok to use them, but at least users should be aware that dockerd now may be using those (so implicitly gets access to their s3/azure/github account)
• Do we want configuration options in daemon.json to allow users to specify (default) accounts for caching? (which may be separate from environment variables on the host)?

[thaJeztah]

As discussed in the call;

• We removed the s3 caching from this PR (for follow-up discussion)
• Temporarily removed the BuildKit CI changes, because those currently fail without the s3 caching (as they run some tests that expect it to be present)

BuildKit CI was green before those patches were removed (but they allowed us to verify that everything worked)

[thaJeztah]

LGTM (can't approve as this PR was originally opened by me)

@cpuguy83 @neersighted @rumpl PTAL if you're okay with the last iteration)

[thaJeztah]

For transparency; this PR does add gha as caching backend, which also implicitly adds support in the daemon for reading GHA authentication information from env vars (as mentioned above #44079 (comment))

https://docs.docker.com/build/cache/backends/gha/#authentication
If the url or token parameters are left unspecified, the gha cache backend will fall back to using environment variables.

I think it's okay to keep that change in, but I'll open a tracking ticket for further discussion on how we want to go forward with configuring these.

[rumpl]

Yay!