add support of privileged attribut in service.build section

Signed-off-by: Guillaume Lours <[email protected]>

Author: glours

pkg/compose/build.go

@@ -33,6 +33,7 @@ import (
 	"github.com/moby/buildkit/session/auth/authprovider"
 	"github.com/moby/buildkit/session/secrets/secretsprovider"
 	"github.com/moby/buildkit/session/sshforward/sshprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 
 	"github.com/docker/compose/v2/pkg/api"
@@ -71,7 +72,6 @@ func (s *composeService) build(ctx context.Context, project *types.Project, opti
 		if err != nil {
 			return err
 		}
-
 		for _, image := range service.Build.CacheFrom {
 			buildOptions.CacheFrom = append(buildOptions.CacheFrom, bclient.CacheOptionsEntry{
 				Type:  "registry",
@@ -258,6 +258,10 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 	if len(service.Build.Tags) > 0 {
 		tags = append(tags, service.Build.Tags...)
 	}
+	var allow []entitlements.Entitlement
+	if service.Build.Privileged {
+		allow = append(allow, entitlements.EntitlementSecurityInsecure)
+	}
 
 	imageLabels := getImageBuildLabels(project, service)
 
@@ -279,6 +283,7 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 		NetworkMode: service.Build.Network,
 		ExtraHosts:  service.Build.ExtraHosts.AsList(),
 		Session:     sessionConfig,
+		Allow:       allow,
 	}, nil
 }
 

pkg/compose/build_classic.go

@@ -30,6 +30,7 @@ import (
 	buildx "github.com/docker/buildx/build"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command/image/build"
+	"github.com/docker/compose/v2/pkg/utils"
 	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/pkg/archive"
@@ -38,6 +39,7 @@ import (
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/hashicorp/go-multierror"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
 
 	"github.com/docker/compose/v2/pkg/api"
@@ -92,6 +94,9 @@ func (s *composeService) doBuildClassicSimpleImage(ctx context.Context, options
 	if len(options.Platforms) > 1 {
 		return "", errors.Errorf("this builder doesn't support multi-arch build, set DOCKER_BUILDKIT=1 to use multi-arch builder")
 	}
+	if utils.Contains(options.Allow, entitlements.EntitlementSecurityInsecure) {
+		return "", errors.Errorf("this builder doesn't support privileged mode, set DOCKER_BUILDKIT=1 to use builder supporting privileged mode")
+	}
 
 	if options.Labels == nil {
 		options.Labels = make(map[string]string)

pkg/e2e/build_test.go

@@ -338,6 +338,27 @@ func TestBuildPlatformsWithCorrectBuildxConfig(t *testing.T) {
 
 }
 
+func TestBuildPrivileged(t *testing.T) {
+	c := NewParallelCLI(t)
+
+	// declare builder
+	result := c.RunDockerCmd(t, "buildx", "create", "--name", "build-privileged", "--use", "--bootstrap", "--buildkitd-flags",
+		`'--allow-insecure-entitlement=security.insecure'`)
+	assert.NilError(t, result.Error)
+
+	t.Cleanup(func() {
+		c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "down")
+		_ = c.RunDockerCmd(t, "buildx", "rm", "-f", "build-privileged")
+	})
+
+	t.Run("use build privileged mode to run insecure build command", func(t *testing.T) {
+		res := c.RunDockerComposeCmdNoCheck(t, "--project-directory", "fixtures/build-test/privileged", "build")
+		assert.NilError(t, res.Error, res.Stderr())
+		res.Assert(t, icmd.Expected{Out: "CapEff:\t0000003fffffffff"})
+
+	})
+}
+
 func TestBuildPlatformsStandardErrors(t *testing.T) {
 	c := NewParallelCLI(t)
 
@@ -380,4 +401,17 @@ func TestBuildPlatformsStandardErrors(t *testing.T) {
 			Err:      `DOCKER_DEFAULT_PLATFORM "windows/amd64" value should be part of the service.build.platforms: ["linux/amd64" "linux/arm64"]`,
 		})
 	})
+
+	t.Run("no privileged support with Classic Builder", func(t *testing.T) {
+		cmd := c.NewDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "build")
+
+		res := icmd.RunCmd(cmd, func(cmd *icmd.Cmd) {
+			cmd.Env = append(cmd.Env, "DOCKER_BUILDKIT=0")
+		})
+		res.Assert(t, icmd.Expected{
+			ExitCode: 1,
+			Err:      "this builder doesn't support privileged mode, set DOCKER_BUILDKIT=1 to use builder supporting privileged mode",
+		})
+	})
+
 }

pkg/e2e/fixtures/build-test/privileged/Dockerfile

@@ -0,0 +1,19 @@
+# syntax = docker/dockerfile:experimental
+
+
+#   Copyright 2020 Docker Compose CLI authors
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+FROM alpine
+RUN --security=insecure cat /proc/self/status | grep CapEff

pkg/e2e/fixtures/build-test/privileged/compose.yaml

@@ -0,0 +1,5 @@
+services:
+  privileged-service:
+    build:
+      context: .
+      privileged: true