solver: add proxy network mode #6740
Draft
tonistiigi wants to merge 12 commits into
Draft
Conversation
tonistiigi
force-pushed
the
exec-net-proxy
branch
2 times, most recently
from
f75eea5 to
419f7fd
Compare
github-actions
Bot
added
area/dependencies
Add a build request option that rewrites default exec networking to an internal proxy network while preserving explicit none networking. Route HTTP and HTTPS traffic through a BuildKit-owned proxy namespace, enforce source policy checks for proxied requests, and inject a temporary CA into Linux rootfs trust bundles for HTTPS interception. Share namespace pooling between CNI and proxy providers, and cover proxy mode with unit and integration tests. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record successful GET responses through the exec proxy as provenance materials and report incomplete material coverage as a typed solve error. Thread proxy policy and capture state through typed executor/network options. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Route proxy network policy checks through the existing source policy evaluator so session metadata, deny messages, and URL converts use the same path as LLB sources. Keep proxy-specific request rewriting in the proxy provider. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record each proxied exec request and print a redacted method and URL list in the exec progress logs after the process completes. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Apply proxy network as an explicit LLB mutation before digest recompute, while keeping runtime load options such as platform normalization applied when creating vertices. This preserves distinct cache keys for proxy-network builds without breaking gateway warning and source-map lookups that use the original LLB digests from the frontend. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add a proxyNetwork TOML setting and --proxy-network daemon flag to enable exec proxy enforcement for every build. Wire the default through controller and solver setup while preserving per-build enablement. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tonistiigi
force-pushed
the
exec-net-proxy
branch
from
419f7fd to
b07be8e
Compare
github-actions
Bot
added
area/buildkitd
and removed
area/dockerfile
area/frontend
labels
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tonistiigi
force-pushed
the
exec-net-proxy
branch
from
b07be8e to
a512836
Compare
Member
Author
|
Some examples and tutorial https://gist.github.com/tonistiigi/ced43318d7eaaea4a966de2ccff999ae |
Add integration coverage for exec proxy source policy conversion. The test requests /foo, rewrites it to /bar, and verifies exported content and provenance materials use the converted source. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a build request option that rewrites default exec networking to an
internal proxy network while preserving explicit none networking.
Route HTTP and HTTPS traffic through a BuildKit-owned proxy namespace, enforce
source policy checks for proxied requests, and inject a temporary CA into Linux
rootfs trust bundles for HTTPS interception.
Share namespace pooling between CNI and proxy providers, and cover proxy mode
with unit and integration tests.
Record successful GET responses through the exec proxy as provenance
materials and report incomplete material coverage as a typed solve error.
Thread proxy policy and capture state through typed executor/network options.
Route proxy network policy checks through the existing source policy evaluator so
session metadata, deny messages, and URL converts use the same path as LLB
sources. Keep proxy-specific request rewriting in the proxy provider.