Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

buildkitd container image does not include iptables, and so breaks with bridge mode #4637

Closed
TBBle opened this issue Feb 12, 2024 · 0 comments · Fixed by #4650
Closed

buildkitd container image does not include iptables, and so breaks with bridge mode #4637

TBBle opened this issue Feb 12, 2024 · 0 comments · Fixed by #4650
Labels
kind/bug
Milestone
v0.13.0

Comments

@TBBle
Copy link
Collaborator

TBBle commented Feb 12, 2024
edited
Loading

As noted in #4352, the bridge-mode is intended to be default, but simple testing of that case using buildx failed:

$ docker buildx create --name bridge-build --driver docker-container --driver-opt image=moby/buildkit:master --buildkitd-flags "--oci-worker-net=bridge" --bootstrap
[+] Building 17.1s (1/1) FINISHED
 => ERROR [internal] booting buildkit                                                                                                                                                                                            17.1s
 => => pulling image moby/buildkit:master                                                                                                                                                                                         1.6s
 => => creating container buildx_buildkit_bridge-build0                                                                                                                                                                          15.5s
------
 > [internal] booting buildkit:
17.09 buildkitd: plugin type="buildkit-cni-bridge" failed (add): failed to locate iptbuildkitd: plugin type="buildkit-cni-bridge" failed (add): failed to locate iptables: exec: "iptables": executable file not found in $PATH
17.09 github.com/moby/github.com/moby/buildkit/util/network/cniprovider.(*cniProvider).newNS
17.09 github.com/moby/buildkit/util/network/cnipgithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.(*cniPool).getNew.func1
17.09 github.com/moby/buildkit/util/network/cnipgithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.withDetachedNetNSIfAny
17.09 github.com/moby/buildkit/util/network/cniprovidgithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.(*cniPool).getNew
17.09 github.com/moby/buildkit/util/network/cnipgithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.(*cniPool).get
17.09 github.com/moby/buildkit/util/network/cnipgithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.(*cniProvider).New
17.09 github.com/moby/buildkit/util/network/cnipgithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.(*cniProvider).initNetwork
17.09 github.com/moby/buildkit/util/network/cnigithub.jparrowsec.cn/moby/buildkit/util/network/cniprovider.NewBridge
17.09 github.com/moby/buildkit/util/network/netprovgithub.jparrowsec.cn/moby/buildkit/util/network/netproviders.getBridgeProvider
17.09 github.com/moby/buildkit/util/network/netproviders.Pgithub.jparrowsec.cn/moby/buildkit/util/network/netproviders.Providers
17.09 github.com/moby/buildkit/worker/runc.NewWorkergithub.jparrowsec.cn/moby/buildkit/worker/runc.NewWorkerOpt
17.09 main.ociWorkerInitializer
17.09 main.ociWorkerInitializer
17.09 main.newWorkerController
17.09   /src/cmd/main.newWorkerController
17.09 main.newController
17.09   /srcmain.newController
17.09 main.main.func3
17.09   /src/cmmain.main.func3
17.09 github.com/urfave/cli.HandleActigithub.jparrowsec.cn/urfave/cli.HandleAction
17.09 github.com/urfave/cli.(*App).Run
17.09 . /srcgithub.jparrowsec.cn/urfave/cli.(*App).Run
17.09 main.main
17.09   /src/cmd/buildkitd/main.go:main.main
17.09 runtime.main
17.09 ' /usr/localruntime.main
17.09 runtime.goexit
17.09 runtime.goexit
17.09
------
ERROR: Error response from daemon: container 61d48edc12f7d7ccbf95b0fc4ffef2b7b4b857f19a8f5182b47eadb49522a0f0 is not running

I assume this'd be as simple as including iptables (and any future utils) inside the auto-published buildkit container images. Are there cases where we'd want to exclude them? Currently iptables is added to the integration-tests-base image, so we don't see this issue in CI, assuming this is covered per #4545 (comment). I guess adding iptables (and any other necessary binaries) into cni-plugins-export would be the right place, rather than adding them to buildkit-base.

Brief testing showed this trivial Dockerfile provides a bootstrappable builder:

FROM moby/buildkit:master
RUN apk add --no-cache iptables ip6tables && ln -s /sbin/iptables-legacy /usr/bin/iptables

Attempting to be more selective like cni-plugins-export does was "too hard" because iptables depends on shared libraries, and that seems a bit fragile to me too. (But maybe is justified? Implementor's choice, really.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
v0.13.0
Development

Successfully merging a pull request may close this issue.

make sure iptables installed in release image tonistiigi/buildkit
2 participants
@TBBle @AkihiroSuda