feat: support buildkit v0.13.1

alauda · Apr 8, 2024 · 88abb45 · 88abb45
1 parent 2ae42e0
commit 88abb45
Show file tree

Hide file tree

Showing 78 changed files with 13,563 additions and 14 deletions.
diff --git a/.build/build.yaml b/.build/build.yaml
@@ -0,0 +1,88 @@
+apiVersion: builds.katanomi.dev/v1alpha1
+kind: Build
+spec:
+  workspaces:
+    - description: |
+        This workspace is shared among all the pipeline tasks to read/write common resources
+      name: source
+  tasks:
+    - name: buildkit-oss-version
+      workspaces:
+        - name: source
+          workspace: source
+      taskSpec:
+        description: |
+          generate oss version
+        results:
+          - description: oss version
+            name: oss-version
+        steps:
+          - image: build-harbor.alauda.cn/devops/builder-tools:alpine-v3.8.0
+            name: read-oss-file
+            imagePullPolicy: IfNotPresent
+            workingDir: $(workspaces.source.path)
+            resources:
+              requests:
+                cpu: 100m
+                memory: 100Mi
+            script: |
+              echo "generate oss version"
+              echo -n "$(cat ./buildkit_version| xargs echo -e)"
+              echo -n "$(cat ./buildkit_version| xargs echo -e)" > $(results.oss-version.path)
+        workspaces:
+          - name: source
+            workspace: source
+    - name: build-buildkit-image
+      runAfter:
+        - buildkit-oss-version
+      timeout: 30m
+      retries: 0
+      taskRef:
+        kind: ClusterTask
+        name: alauda-build-image
+      workspaces:
+        - name: source
+          workspace: source
+      params:
+        - name: container-image
+          value: build-harbor.alauda.cn/devops/buildkit
+        - name: container-image-tag
+          value: $(tasks.buildkit-oss-version.results.oss-version)-alpine-$(build.git.lastCommit.shortID)
+        - name: dockerfile
+          value: Dockerfile
+        - name: labels
+          value:
+            - branch=$(build.git.branch)
+            - commit=$(build.git.lastCommit.id)
+        - name: build-extra-args
+          value: --build-arg app_version=$(build.git.version.docker) --build-arg
+            commit_id=$(build.git.lastCommit.id) --build-arg GIT_REVISION=$(build.git.lastCommit.id) --build-arg GIT_VERSION=$(build.git.version.docker)
+        - name: platform
+          value:
+            - linux/amd64
+            - linux/arm64
+        - name: tools-image
+          value: registry.alauda.cn:60080/devops/builder-tools:v3.8-0-g377a3f9
+        - name: verbose
+          value: "false"
+    - name: image-scan
+      runAfter:
+        - build-buildkit-image
+      timeout: 30m
+      retries: 0
+      taskRef:
+        kind: ClusterTask
+        name: trivy-image-scan
+      workspaces:
+        - name: source
+          workspace: source
+      when: []
+      params:
+        - name: targets
+          value:
+            - $(tasks.build-buildkit-image.results.ociContainerImageBuild-url)
+        - name: quality-gate
+          value: "false"
+  runTemplate:
+    spec:
+      taskRunSpecs: []
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,7 @@
+# buildkit 变更记录
+
+官方地址：[buildkit](https://github.com/moby/buildkit/tree/v0.13.1)
+
+- 自动识别 http/https 仓库，默认使用insecure client请求。
+  - [DEVOPS-19463](https://jira.alauda.cn/browse/DEVOPS-19463) pull http仓库失败问题
+  - [DEVOPS-19601](https://jira.alauda.cn/browse/DEVOPS-19601) 连接自签名https仓库拉取失败问题
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,8 @@ ARG GOTESTSUM_VERSION=v1.9.0
 ARG DELVE_VERSION=v1.21.0
 
 ARG GO_VERSION=1.21
-ARG ALPINE_VERSION=3.19
+ARG ALPINE_VERSION=3
+ARG ALPINE_IMAGE=build-harbor.alauda.cn/ops/alpine
 ARG XX_VERSION=1.4.0
 ARG BUILDKIT_DEBUG
 
@@ -28,12 +29,12 @@ FROM minio/mc:${MINIO_MC_VERSION} AS minio-mc
 
 # alpine base for buildkit image
 # TODO: remove this when alpine image supports riscv64
-FROM alpine:${ALPINE_VERSION} AS alpine-amd64
-FROM alpine:${ALPINE_VERSION} AS alpine-arm
-FROM alpine:${ALPINE_VERSION} AS alpine-arm64
-FROM alpine:${ALPINE_VERSION} AS alpine-s390x
-FROM alpine:${ALPINE_VERSION} AS alpine-ppc64le
-FROM alpine:edge@sha256:2d01a16bab53a8405876cec4c27235d47455a7b72b75334c614f2fb0968b3f90 AS alpine-riscv64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-amd64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-arm
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-arm64
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-s390x
+FROM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS alpine-ppc64le
+FROM ${ALPINE_IMAGE}:edge@sha256:2d01a16bab53a8405876cec4c27235d47455a7b72b75334c614f2fb0968b3f90 AS alpine-riscv64
 FROM alpine-$TARGETARCH AS alpinebase
 
 # xx is a helper for cross-compilation
@@ -43,7 +44,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golatest
 
 # git stage is used for checking out remote repository sources
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS git
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS git
 RUN apk add --no-cache git
 
 # gobuild is base stage for compiling go/cgo
@@ -164,7 +165,7 @@ RUN --mount=from=dnsname-src,src=/usr/src/dnsname,target=.,rw \
     CGO_ENABLED=0 xx-go build -o /usr/bin/dnsname ./plugins/meta/dnsname && \
     xx-verify --static /usr/bin/dnsname
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS cni-plugins
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS cni-plugins
 RUN apk add --no-cache curl
 COPY --from=xx / /
 ARG CNI_VERSION
@@ -208,7 +209,7 @@ FROM binaries-$TARGETOS AS binaries
 # enable scanning for this stage
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS releaser
+FROM --platform=$BUILDPLATFORM ${ALPINE_IMAGE}:${ALPINE_VERSION} AS releaser
 RUN apk add --no-cache tar gzip
 WORKDIR /work
 ARG TARGETPLATFORM
@@ -220,7 +221,7 @@ FROM scratch AS release
 COPY --link --from=releaser /out/ /
 
 FROM alpinebase AS buildkit-export
-RUN apk add --no-cache fuse3 git openssh pigz xz iptables ip6tables \
+RUN apk add --no-cache fuse3 git openssh pigz xz iptables ip6tables skopeo \
   && ln -s fusermount3 /usr/bin/fusermount
 COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
 VOLUME /var/lib/buildkit

diff --git a/buildkit_version b/buildkit_version
@@ -0,0 +1 @@
+v0.13.1
diff --git a/catalog.yaml b/catalog.yaml
@@ -0,0 +1,26 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: buildkit
+  title: buildkit
+  description: Buildkit 是一个高效的构建镜像的工具，该镜像基于官方版本做了若干参数的调整定制。
+  annotations:
+    # gitlab plugin
+    gitlab.com/project-slug: devops/builder-buildkit
+    gitlab.com/instance: gitlab-ce.alauda.cn
+    # acp cicd plugin
+    acp.cpaas.io/ci-pipeline: devops/business-build/tools/builder-buildkit
+    acp.cpaas.io/instance: edge.alauda.cn
+    # harbor plugin
+    goharbor.io/repository-slug: devops/buildkit
+    # sonarqube plugin
+    sonarqube.org/project-key: ""
+    # backstage techdocs plugin
+    backstage.io/techdocs-ref: dir:./buildkit-v0.10.4
+    acp.cpaas.io/owner: kychen@alauda.io
+
+spec:
+  type: tools
+  system: system:katanomi-system
+  lifecycle: production
+  owner: devops
diff --git a/examples/buildctl-daemonless/buildctl-daemonless.sh b/examples/buildctl-daemonless/buildctl-daemonless.sh
@@ -9,7 +9,7 @@
 set -eu
 
 : ${BUILDCTL=buildctl}
-: ${BUILDCTL_CONNECT_RETRIES_MAX=10}
+: ${BUILDCTL_CONNECT_RETRIES_MAX=30}
 : ${BUILDKITD=buildkitd}
 : ${BUILDKITD_FLAGS=}
 : ${ROOTLESSKIT=rootlesskit}

diff --git a/go.mod b/go.mod
@@ -134,6 +134,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
@@ -145,6 +146,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
 	github.com/google/uuid v1.5.0 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/hanwen/go-fuse/v2 v2.4.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -137,6 +137,8 @@ github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
 github.com/docker/cli v25.0.3+incompatible h1:KLeNs7zws74oFuVhgZQ5ONGZiXUUdgsdy6/EsX/6284=
 github.com/docker/cli v25.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v25.0.3+incompatible h1:D5fy/lYmY7bvZa0XTZ5/UJPljor41F+vdyJG5luQLfQ=
 github.com/docker/docker v25.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
@@ -230,6 +232,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=

diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -13,13 +14,21 @@ import (
 	"time"
 
 	"github.com/containerd/containerd/remotes/docker"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/registry"
 	"github.com/moby/buildkit/util/resolver/config"
 	"github.com/moby/buildkit/util/tracing"
+	"github.com/moby/buildkit/version"
 	"github.com/pkg/errors"
 )
 
 const (
 	defaultPath = "/v2"
+
+	// DefaultRegistryVersionHeader is the name of the default HTTP header
+	// that carries Registry version info
+	DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version"
 )
 
 func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHost) (*docker.RegistryHost, error) {
@@ -159,12 +168,73 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 			return out, nil
 		},
 		docker.ConfigureDefaultRegistries(
-			docker.WithClient(newDefaultClient()),
-			docker.WithPlainHTTP(docker.MatchLocalhost),
+			docker.WithClient(newInsecureDefaultClient()),
+			docker.WithPlainHTTP(isPlainHTTP),
 		),
 	)
 }
 
+func isPlainHTTP(host string) (bool, error) {
+	plainHTTP, err := docker.MatchLocalhost(host)
+	if err != nil {
+		return false, err
+	}
+
+	if plainHTTP {
+		return plainHTTP, nil
+	}
+
+	return isHttpRegistry(host), nil
+}
+
+func isHttpRegistry(host string) bool {
+	base := newDefaultTransport()
+	base.TLSClientConfig = &tls.Config{}
+	base.TLSClientConfig.InsecureSkipVerify = true
+
+	modifiers := registry.Headers(version.UserAgent(), nil)
+	authTransport := transport.NewTransport(base, modifiers...)
+
+	// By default, http attempts to authenticate the v2 interface.
+	endpoint := &url.URL{
+		Scheme: "https",
+		Host:   host,
+	}
+	v2Version := auth.APIVersion{
+		Type:    "registry",
+		Version: "2.0",
+	}
+
+	pingClient := &http.Client{
+		Transport: authTransport,
+		Timeout:   15 * time.Second,
+	}
+
+	endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/"
+	req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
+	if err != nil {
+		return true
+	}
+
+	resp, err := pingClient.Do(req)
+	if err != nil {
+		return true
+	}
+	defer resp.Body.Close()
+
+	versions := auth.APIVersions(resp, DefaultRegistryVersionHeader)
+	for _, pingVersion := range versions {
+		if pingVersion == v2Version {
+			// The version header indicates we're definitely
+			// talking to a v2 registry. So don't allow future
+			// fallbacks to the v1 protocol.
+			return false
+		}
+	}
+
+	return true
+}
+
 func newMirrorRegistryHost(mirror string) docker.RegistryHost {
 	mirrorHost, mirrorPath := extractMirrorHostAndPath(mirror)
 	path := path.Join(defaultPath, mirrorPath)
@@ -179,6 +249,16 @@ func newMirrorRegistryHost(mirror string) docker.RegistryHost {
 	return h
 }
 
+func newInsecureDefaultClient() *http.Client {
+	httpsTransport := newDefaultTransport()
+	httpsTransport.TLSClientConfig = &tls.Config{}
+	httpsTransport.TLSClientConfig.InsecureSkipVerify = true
+
+	return &http.Client{
+		Transport: tracing.NewTransport(httpsTransport),
+	}
+}
+
 func newDefaultClient() *http.Client {
 	return &http.Client{
 		Transport: tracing.NewTransport(newDefaultTransport()),

diff --git a/vendor/github.com/docker/distribution/.dockerignore b/vendor/github.com/docker/distribution/.dockerignore
diff --git a/vendor/github.com/docker/distribution/.gitignore b/vendor/github.com/docker/distribution/.gitignore