dockerfile: device support with frontend attribute

Signed-off-by: CrazyMax <[email protected]>

Author: crazy-max

frontend/dockerfile/dockerfile2llb/convert.go

@@ -724,6 +724,7 @@ func toDispatchState(ctx context.Context, dt []byte, opt ConvertOpt) (*dispatchS
 			extraHosts:          opt.ExtraHosts,
 			shmSize:             opt.ShmSize,
 			ulimit:              opt.Ulimits,
+			devices:             opt.Devices,
 			cgroupParent:        opt.CgroupParent,
 			llbCaps:             opt.LLBCaps,
 			sourceMap:           opt.SourceMap,
@@ -859,6 +860,7 @@ type dispatchOpt struct {
 	extraHosts          []llb.HostIP
 	shmSize             int64
 	ulimit              []*pb.Ulimit
+	devices             []*pb.CDIDevice
 	cgroupParent        string
 	llbCaps             *apicaps.CapSet
 	sourceMap           *llb.SourceMap
@@ -1303,6 +1305,13 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE
 		}
 	}
 
+	// TODO: use entitlements and put this on labs
+	if dopt.llbCaps != nil && dopt.llbCaps.Supports(pb.CapExecMetaCDI) == nil {
+		for _, u := range dopt.devices {
+			opt = append(opt, llb.AddCDIDevice(u.Name))
+		}
+	}
+
 	shlex := *dopt.shlex
 	shlex.RawQuotes = true
 	shlex.SkipUnsetEnv = true

frontend/dockerfile/dockerfile_rundevice_test.go

@@ -0,0 +1,76 @@
+package dockerfile
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/containerd/continuity/fs/fstest"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/frontend/dockerui"
+	"github.com/moby/buildkit/util/testutil/integration"
+	"github.com/stretchr/testify/require"
+	"github.com/tonistiigi/fsutil"
+)
+
+var deviceTests = integration.TestFuncs(
+	testDeviceEnv,
+)
+
+func testDeviceEnv(t *testing.T, sb integration.Sandbox) {
+	if sb.Rootless() {
+		t.SkipNow()
+	}
+
+	integration.SkipOnPlatform(t, "windows")
+	f := getFrontend(t, sb)
+
+	require.NoError(t, os.WriteFile(filepath.Join(sb.CDISpecDir(), "vendor1-device.yaml"), []byte(`
+cdiVersion: "0.3.0"
+kind: "vendor1.com/device"
+devices:
+- name: foo
+  containerEdits:
+    env:
+    - FOO=injected
+`), 0600))
+
+	dockerfile := []byte(`
+FROM busybox AS base
+RUN env|sort | tee foo.env
+FROM scratch
+COPY --from=base /foo.env /
+`)
+
+	dir := integration.Tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	c, err := client.New(sb.Context(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	destDir := t.TempDir()
+
+	_, err = f.Solve(sb.Context(), c, client.SolveOpt{
+		FrontendAttrs: map[string]string{
+			"device": "vendor1.com/device=foo",
+		},
+		LocalMounts: map[string]fsutil.FS{
+			dockerui.DefaultLocalNameDockerfile: dir,
+			dockerui.DefaultLocalNameContext:    dir,
+		},
+		Exports: []client.ExportEntry{
+			{
+				Type:      client.ExporterLocal,
+				OutputDir: destDir,
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	dt, err := os.ReadFile(filepath.Join(destDir, "foo.env"))
+	require.NoError(t, err)
+	require.Contains(t, string(dt), `FOO=injected`)
+}

frontend/dockerfile/dockerfile_test.go

@@ -301,6 +301,11 @@ func TestIntegration(t *testing.T) {
 			"granted": networkHostGranted,
 			"denied":  networkHostDenied,
 		}))...)
+
+	integration.Run(t, deviceTests, append(opts,
+		integration.WithMatrix("cdi", map[string]interface{}{
+			"enabled": enableCDI,
+		}))...)
 }
 
 func testEmptyStringArgInEnv(t *testing.T, sb integration.Sandbox) {
@@ -9897,6 +9902,19 @@ var (
 	networkHostDenied  integration.ConfigUpdater = &networkModeSandbox{}
 )
 
+type cdiEnabled struct{}
+
+func (*cdiEnabled) UpdateConfigFile(in string) string {
+	return in + `
+[cdi]
+enabled = true
+`
+}
+
+var (
+	enableCDI integration.ConfigUpdater = &cdiEnabled{}
+)
+
 func fixedWriteCloser(wc io.WriteCloser) filesync.FileOutputFunc {
 	return func(map[string]string) (io.WriteCloser, error) {
 		return wc, nil

frontend/dockerui/attr.go

@@ -1,6 +1,7 @@
 package dockerui
 
 import (
+	"encoding/csv"
 	"net"
 	"strconv"
 	"strings"
@@ -13,6 +14,7 @@ import (
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/tonistiigi/go-csvvalue"
+	"tags.cncf.io/container-device-interface/pkg/parser"
 )
 
 func parsePlatforms(v string) ([]ocispecs.Platform, error) {
@@ -97,6 +99,27 @@ func parseUlimits(v string) ([]*pb.Ulimit, error) {
 	return out, nil
 }
 
+func parseDevices(v string) ([]*pb.CDIDevice, error) {
+	if v == "" {
+		return nil, nil
+	}
+	out := make([]*pb.CDIDevice, 0)
+	csvReader := csv.NewReader(strings.NewReader(v))
+	names, err := csvReader.Read()
+	if err != nil {
+		return nil, err
+	}
+	for _, name := range names {
+		if _, _, _, err := parser.ParseQualifiedName(name); err != nil {
+			return nil, errors.Wrapf(err, "invalid CDI device name %q", name)
+		}
+		out = append(out, &pb.CDIDevice{
+			Name: name,
+		})
+	}
+	return out, nil
+}
+
 func parseNetMode(v string) (pb.NetMode, error) {
 	if v == "" {
 		return llb.NetModeSandbox, nil

frontend/dockerui/config.go

@@ -40,6 +40,7 @@ const (
 	keyShmSize          = "shm-size"
 	keyTargetPlatform   = "platform"
 	keyUlimit           = "ulimit"
+	keyDevice           = "device"
 	keyCacheFrom        = "cache-from"    // for registry only. deprecated in favor of keyCacheImports
 	keyCacheImports     = "cache-imports" // JSON representation of []CacheOptionsEntry
 
@@ -66,6 +67,7 @@ type Config struct {
 	ShmSize          int64
 	Target           string
 	Ulimits          []*pb.Ulimit
+	Devices          []*pb.CDIDevice
 	LinterConfig     *linter.Config
 
 	CacheImports           []client.CacheOptionsEntry
@@ -187,6 +189,12 @@ func (bc *Client) init() error {
 	}
 	bc.Ulimits = ulimits
 
+	devices, err := parseDevices(opts[keyDevice])
+	if err != nil {
+		return errors.Wrap(err, "failed to parse device")
+	}
+	bc.Devices = devices
+
 	defaultNetMode, err := parseNetMode(opts[keyForceNetwork])
 	if err != nil {
 		return err