Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixup attestation platforms for the local exporter #3321

Merged
merged 5 commits into from
Dec 8, 2022
Merged

Fixup attestation platforms for the local exporter #3321

merged 5 commits into from
Dec 8, 2022

Conversation

jedevc
Copy link
Member

@jedevc jedevc commented Nov 25, 2022

⬆️ Follow-up to #3197.

This PR corrects the behaviour of the local exporter with the multi-platform argument. Essentially, the problem boils down to the fact that we can't distinguish at the exporter level between the results produced by the following:

$ buildctl build --opt platform=linux/amd64 --opt attest:sbom
$ buildctl build --opt platform=linux/amd64 --opt attest:sbom --opt build-arg:BUILDKIT_MULTI_PLATFORM=true

We'd like the former to produce a flat file structure through the local exporter, and the latter to produce an explicitly nested file structure through the same exporter. However, both of these produce Refs instead of a singular Ref, so we can't just look at the Result to know which one.

To solve this, we can handle this case like SOURCE_DATE_EPOCH, and detect in the control API boundary if the multi-platform option is set and directly forward it to the exporter, which we can use to make the right call about what format of output to produce. As part of this, we fixup the client to send all frontend attributes to the main solve request for Solves inside Builds - since we would now be having to filter through all attestation arguments, SOURCE_DATE_EPOCH and BUILDKIT_MULTI_PLATFORM/multi-platform - which is frustrating and limits upgrade paths. This behavior was previously broken on master, the fallback for SOURCE_DATE_EPOCH in the control API boundary would never be activated by buildctl or buildx, since they use Solves inside Builds exclusively.

We should probably pick this into the release, since without it, BUILDKIT_MULTI_PLATFORM won't work as intended for the local exporter. Additionally, the fallback for SOURCE_DATE_EPOCH won't work correctly.

@jedevc jedevc force-pushed the fixup-attestation-platforms branch 2 times, most recently from 5616047 to 583e480 Compare December 6, 2022 11:24
@jedevc jedevc force-pushed the fixup-attestation-platforms branch from 583e480 to 4dc3a5c Compare December 6, 2022 16:09
@jedevc jedevc added this to the v0.11.0 milestone Dec 8, 2022
@jedevc
client: solve method should not modify opt argument
1050795 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
client: don't clear frontend attributes to send to server
8edf57d 
Originally, for a Build, we avoided sending any of the FrontendAttrs to
the main Solve call, and sent them all to the sub-Solve calls.

However, when we added attestations, we had to add an additional Filter,
to ensure those args were sent to both locations. While unintuitive,
there wasn't logical location to put them, which would have applied to
the entire build. This pattern has become fairly common, for instances
where the buildkit backend can provide a fallback when the frontend does
not support a specified option, for example, with SOURCE_DATE_EPOCH.

This means that this filtering must be updated for each instance -
instead of this, we can remove the filtering entirely, which should
provide for easier upgrade paths going forwards.

Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
dockerfile: correct typo multiple platforms in error
2fe41bc 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
epoch: refactor frontend attribute parsing
50c2083 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
exporter: detect if multi-platform is set
6f21d6b 
This is required now that the correspondence between platforms and refs
has been broken. Without it, there's no way to detect between the
following cases from the output that they emit:

	buildctl build --opt platform=linux/amd64 --opt attest:sbom
	buildctl build --opt platform=linux/amd64 --opt attest:sbom --opt build-arg:BUILDKIT_MULTI_PLATFORM=true

We'd like the former to produce a flat file structure through the local
exporter, and the latter to produce an explicitly nested file structure
through the same exporter. However, both of these produce Refs instead
of a singular Ref, so we can't just look at the Result to know which
one.

Similar to how we handle the SOURCE_DATE_EPOCH build-arg, we can handle
the multi-platform args at the control API boundary, setting the
explicit option multi-platform in the exporter if it is set. In the
future, we can guide users away from the BUILDKIT_MULTI_PLATFORM args
entirely, and towards the multi-platform exporter option if we want.

Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc jedevc force-pushed the fixup-attestation-platforms branch from 4dc3a5c to 6f21d6b Compare December 8, 2022 14:47
@tonistiigi tonistiigi merged commit 01c0d67 into moby:master Dec 8, 2022
This was referenced Dec 9, 2022
Closed
Merged
@crazy-max crazy-max mentioned this pull request Dec 13, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crazy-max crazy-max crazy-max left review comments

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.11.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jedevc @tonistiigi @crazy-max