Merge pull request #2204 from flatcar/krnowak/add-buildx

Add app-containers/docker-buildx

.github/workflows/portage-stable-packages-list

@@ -108,6 +108,7 @@ app-containers/containers-storage
 app-containers/cri-tools
 app-containers/crun
 app-containers/docker
+app-containers/docker-buildx
 app-containers/docker-cli
 app-containers/netavark
 app-containers/podman

build_image

@@ -33,7 +33,7 @@ DEFINE_string base_pkg "coreos-base/coreos" \
   "The base portage package to base the build off of (only applies to prod images)"
 DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
   "The base portage package to base the build off of (only applies to dev containers)"
-DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli" \
+DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx" \
   "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first."
 DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \
   "Directory in which to place image result directories (named by version)"

changelog/changes/2024-08-05-buildx.md

@@ -0,0 +1 @@
+- The `docker build` command will now use buildx as its backend as the old one became deprecated and a loud "DEPRECATED" information is printed every time it's used.

ci-automation/base_sysexts.sh

@@ -7,5 +7,5 @@ fi
 
 ciabs_base_sysexts=(
     'containerd-flatcar:app-containers/containerd'
-    'docker-flatcar:app-containers/docker&app-containers/docker-cli'
+    'docker-flatcar:app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx'
 )

sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild

@@ -29,6 +29,7 @@ RDEPEND="
 	app-containers/containerd
 	app-containers/docker
 	app-containers/docker-cli
+	app-containers/docker-buildx
 	app-emulation/amazon-ssm-agent
 	app-emulation/wa-linux-agent
 	coreos-base/coreos

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch

@@ -1,4 +1,4 @@
-From f646fccd3b737a79ae0e0d0de049166e531fb48b Mon Sep 17 00:00:00 2001
+From 07cf1b05c8b3b9460b4afc2998a9f170881faa16 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Mon, 4 Dec 2023 12:17:25 +0100
 Subject: [PATCH] Flatcar modifications
@@ -8,13 +8,13 @@ Subject: [PATCH] Flatcar modifications
  policy/modules/kernel/corenetwork.if.in |  26 ++++
  policy/modules/kernel/corenetwork.te.in |  12 +-
  policy/modules/kernel/files.if          |  45 +++++++
- policy/modules/kernel/kernel.te         |  84 +++++++++++++
+ policy/modules/kernel/kernel.te         |  84 ++++++++++++
  policy/modules/services/container.fc    |   6 +
- policy/modules/services/container.te    | 159 +++++++++++++++++++++++-
+ policy/modules/services/container.te    | 170 +++++++++++++++++++++++-
  policy/modules/system/init.te           |   8 ++
  policy/modules/system/locallogin.te     |   9 +-
  policy/modules/system/logging.te        |   9 ++
- 10 files changed, 375 insertions(+), 3 deletions(-)
+ 10 files changed, 386 insertions(+), 3 deletions(-)
 
 diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
 index 3c43a1d84..429c67220 100644
@@ -115,10 +115,10 @@ index 53bf7849c..9edac05e8 100644
  # Infiniband
  corenet_ib_access_all_pkeys(corenet_unconfined_type)
 diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
-index e0337d044..ffd6a25bf 100644
+index b9c451321..104dc1e3e 100644
 --- a/refpolicy/policy/modules/kernel/files.if
 +++ b/refpolicy/policy/modules/kernel/files.if
-@@ -8004,3 +8004,48 @@ interface(`files_relabel_all_pidfiles',`
+@@ -8023,3 +8023,48 @@ interface(`files_relabel_all_pidfiles',`
  	relabel_files_pattern($1, pidfile, pidfile)
  	relabel_lnk_files_pattern($1, pidfile, pidfile)
  ')
@@ -280,7 +280,7 @@ index f98e68ba0..045b1b5b2 100644
  /run/containers(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
  /run/crun(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te
-index 096d6c23d..4bbab3c69 100644
+index 095308a13..7cd6e45e4 100644
 --- a/refpolicy/policy/modules/services/container.te
 +++ b/refpolicy/policy/modules/services/container.te
 @@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false)
@@ -345,7 +345,7 @@ index 096d6c23d..4bbab3c69 100644
 
  ## <desc>
  ##	<p>
-@@ -1191,3 +1237,114 @@ optional_policy(`
+@@ -1192,3 +1238,125 @@ optional_policy(`
         unconfined_domain_noaudit(spc_user_t)
         domain_ptrace_all_domains(spc_user_t)
  ')
@@ -460,11 +460,22 @@ index 096d6c23d..4bbab3c69 100644
 +# avc:  denied  { map_create } for  pid=[0-9]* comm="cilium-operator" scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=bpf permissive=0
 +#
 +allow container_t self:bpf { map_create };
++
++#
++# FLATCAR:
++#
++# These ones happen in docker.base, docker.network and docker.userns.
++# Basically tests that build some docker images. And these started
++# breaking after moving to buildx as a backend of docker build.
++#
++# avc:  denied  { read } for  pid=[0-9]* comm="echo, sleep, whatever" path="/lib64/libc.so.6" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
++#
++allow container_t tmp_t:file { read };
 diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
-index 8f3772dcb..435f62db6 100644
+index 03d0de8ed..16b75d04d 100644
 --- a/refpolicy/policy/modules/system/init.te
 +++ b/refpolicy/policy/modules/system/init.te
-@@ -1674,3 +1674,11 @@ optional_policy(`
+@@ -1678,3 +1678,11 @@ optional_policy(`
  	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
  	userdom_dontaudit_write_user_tmp_files(systemprocess)
  ')

sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/Manifest

@@ -0,0 +1,3 @@
+DIST docker-buildx-0.10.4.tar.gz 9184825 BLAKE2B f0e71c0f6dda5f02da4cf0b0514f67f5d339ba10359afc69aae25abf907447fd22fe3d92427299bc67aeaa6a84e748a8a5cbd86151b2baba2dd01f25cc04a793 SHA512 f82b89b8dd4e45524c8d353c4d7588f47b1c7b7ecf759fd9605247c1c7aa0ca152c3ecdec0e0b62b5eef05e6b65d2ca1f5ccab6d75819b92fc92ff62b44105b7
+DIST docker-buildx-0.11.2.tar.gz 10342565 BLAKE2B 1e034e9a07f36b46096f8f035869adc93b63af46cd9886f5ed4bc0939ce2f76b7f029a11ee536a34be23952e5c85251d757cec9ff05df172e3a26ea82a1bf0b1 SHA512 6f3718edf1e86c4422e1419580e4c38cf378a59555067be2aa6fac3e7f8878afe39d777765ace274cd9c47630f39cbacfacfdc4ecadd6ff46d5ee37d8f9bc75c
+DIST docker-buildx-0.14.0.tar.gz 11120356 BLAKE2B 01fec6b29665088a4778cb6a926f071c1beacb22d7a50593d55afff1225d0e74d083a82eaab4ae96ffee8a6f653ce048fd81b3410e7113bc29da210d77042b64 SHA512 bc09f29096cfd08c60efd8fca7976a1db896f0ed08d33dfc64dfca2c6487a1dc1722b3fe80b6a175ebebeacf8b460bcc214806d0c7a637f17ed5d09793d8c9d8