diff --git a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md index 9abe6d87f6..607c5e34ba 100644 --- a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md +++ b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md @@ -1,4 +1,6 @@ -# buildkitd.toml +--- +title: buildkitd.toml +--- The TOML file used to configure the buildkitd daemon settings has a short list of global settings followed by a series of sections for specific areas diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md index a5a0a049fa..1cf73cd242 100644 --- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md @@ -80,6 +80,7 @@ world Comments don't support line continuation characters. +> [!NOTE] > **Note on whitespace** > > For backward compatibility, leading whitespace before comments (`#`) and @@ -117,15 +118,25 @@ and don't show up as build steps. Parser directives are written as a special type of comment in the form `# directive=value`. A single directive may only be used once. +The following parser directives are supported: + +- [`syntax`](#syntax) +- [`escape`](#escape) +- [`check`](#check) (since Dockerfile v1.8.0) + Once a comment, empty line or builder instruction has been processed, BuildKit no longer looks for parser directives. Instead it treats anything formatted as a parser directive as a comment and doesn't attempt to validate if it might be a parser directive. Therefore, all parser directives must be at the top of a Dockerfile. -Parser directives aren't case-sensitive, but they're lowercase by convention. -It's also conventional to include a blank line following any parser directives. -Line continuation characters aren't supported in parser directives. +Parser directive keys, such as `syntax` or `check`, aren't case-sensitive, but +they're lowercase by convention. Values for a directive are case-sensitive and +must be written in the appropriate case for the directive. For example, +`#check=skip=jsonargsrecommended` is invalid because the check name must use +Pascal case, not lowercase. It's also conventional to include a blank line +following any parser directives. Line continuation characters aren't supported +in parser directives. Due to these rules, the following examples are all invalid: @@ -307,6 +318,46 @@ Successfully built 01c7f3bef04f PS E:\myproject> ``` +### check + +```dockerfile +# check=skip= +# check=error= +``` + +The `check` directive is used to configure how [build checks](https://docs.docker.com/build/checks/) +are evaluated. By default, all checks are run, and failures are treated as +warnings. + +You can disable specific checks using `#check=skip=`. To specify +multiple checks to skip, separate them with a comma: + +```dockerfile +# check=skip=JSONArgsRecommended,StageNameCasing +``` + +To disable all checks, use `#check=skip=all`. + +By default, builds with failing build checks exit with a zero status code +despite warnings. To make the build fail on warnings, set `#check=error=true`. + +```dockerfile +# check=error=true +``` + +To combine both the `skip` and `error` options, use a semi-colon to separate +them: + +```dockerfile +# check=skip=JSONArgsRecommended;error=true +``` + +To see all available checks, see the [build checks reference](https://docs.docker.com/reference/build-checks/). +Note that the checks available depend on the Dockerfile syntax version. To make +sure you're getting the most up-to-date checks, use the [`syntax`](#syntax) +directive to specify the Dockerfile syntax version to the latest stable +version. + ## Environment replacement Environment variables (declared with [the `ENV` statement](#env)) can also be @@ -513,7 +564,7 @@ They're equivalent to the following line: RUN source $HOME/.bashrc && echo $HOME ``` -You can also use heredocs with the shell form to break up a command: +You can also use heredocs with the shell form to break up supported commands. ```dockerfile RUN < **Warning** -> +> [!WARNING] > The use of `--network=host` is protected by the `network.host` entitlement, > which needs to be enabled when starting the buildkitd daemon with > `--allow-insecure-entitlement network.host` flag or in [buildkitd config](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md), @@ -867,8 +942,7 @@ The command is run in the host's network environment (similar to ### RUN --security -> **Note** -> +> [!NOTE] > Not yet available in stable syntax, use [`docker/dockerfile:1-labs`](#syntax) version. ```dockerfile @@ -880,8 +954,7 @@ With `--security=insecure`, the builder runs the command without sandbox in inse mode, which allows to run flows requiring elevated privileges (e.g. containerd). This is equivalent to running `docker run --privileged`. -> **Warning** -> +> [!WARNING] > In order to access this feature, entitlement `security.insecure` should be > enabled when starting the buildkitd daemon with > `--allow-insecure-entitlement security.insecure` flag or in [buildkitd config](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md), @@ -931,8 +1004,7 @@ If `CMD` is used to provide default arguments for the `ENTRYPOINT` instruction, both the `CMD` and `ENTRYPOINT` instructions should be specified in the [exec form](#exec-form). -> **Note** -> +> [!NOTE] > Don't confuse `RUN` with `CMD`. `RUN` actually runs a command and commits > the result; `CMD` doesn't execute anything at build time, but specifies > the intended command for the image. @@ -970,8 +1042,7 @@ LABEL multi.label1="value1" \ other="value3" ``` -> **Note** -> +> [!NOTE] > Be sure to use double quotes and not single quotes. Particularly when you are > using string interpolation (e.g. `LABEL example="foo-$ENV_VAR"`), single > quotes will take the string as is without unpacking the variable's value. @@ -1121,6 +1192,7 @@ ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y ... ``` +> [!NOTE] > **Alternative syntax** > > The `ENV` instruction also allows an alternative syntax `ENV `, @@ -1153,12 +1225,14 @@ ADD [OPTIONS] ["", ... ""] The available `[OPTIONS]` are: -- [`--keep-git-dir`](#add---keep-git-dir) -- [`--checksum`](#add---checksum) -- [`--chown`](#add---chown---chmod) -- [`--chmod`](#add---chown---chmod) -- [`--link`](#add---link) -- [`--exclude`](#add---exclude) +| Option | Minimum Dockerfile version | +| --------------------------------------- | -------------------------- | +| [`--keep-git-dir`](#add---keep-git-dir) | 1.1 | +| [`--checksum`](#add---checksum) | 1.6 | +| [`--chown`](#add---chown---chmod) | | +| [`--chmod`](#add---chown---chmod) | 1.2 | +| [`--link`](#add---link) | 1.4 | +| [`--exclude`](#add---exclude) | 1.7 | The `ADD` instruction copies new files or directories from `` and adds them to the filesystem of the image at the path ``. Files and directories @@ -1275,8 +1349,7 @@ The result is the union of: 2. The contents of the source tree, with conflicts resolved in favor of the content being added, on a file-by-file basis. -> **Note** -> +> [!NOTE] > Whether a file is identified as a recognized compression format or not is > done solely based on the contents of the file, not the name of the file. For > example, if an empty file happens to end with `.tar.gz` this isn't recognized @@ -1404,7 +1477,9 @@ ADD --keep-git-dir=true https://github.com/moby/buildkit.git#v0.10.1 /buildkit ADD [--checksum=] ... ``` -The `--checksum` flag lets you verify the checksum of a remote resource: +The `--checksum` flag lets you verify the checksum of a remote resource. The +checksum is formatted as `:`. The supported algorithms are +`sha256`, `sha384`, and `sha512`. ```dockerfile ADD --checksum=sha256:24454f830cdb571e2c4ad15481119c43b3cafd48dd869a9b2945d1036d1dc68d https://mirrors.edge.kernel.org/pub/linux/kernel/Historic/linux-0.01.tar.gz / @@ -1436,12 +1511,14 @@ COPY [OPTIONS] ["", ... ""] The available `[OPTIONS]` are: -- [`--from`](#copy---from) -- [`--chown`](#copy---chown---chmod) -- [`--chmod`](#copy---chown---chmod) -- [`--link`](#copy---link) -- [`--parents`](#copy---parents) -- [`--exclude`](#copy---exclude) +| Option | Minimum Dockerfile version | +| ---------------------------------- | -------------------------- | +| [`--from`](#copy---from) | | +| [`--chown`](#copy---chown---chmod) | | +| [`--chmod`](#copy---chown---chmod) | 1.2 | +| [`--link`](#copy---link) | 1.4 | +| [`--parents`](#copy---parents) | 1.7 | +| [`--exclude`](#copy---exclude) | 1.7 | The `COPY` instruction copies new files or directories from `` and adds them to the filesystem of the image at the path ``. Files and directories @@ -1547,11 +1624,11 @@ relative to the root of the current build stage. ```dockerfile # create /abs/test.txt -ADD test.txt /abs/ +COPY test.txt /abs/ ``` -Trailing slashes are significant. For example, `ADD test.txt /abs` creates a -file at `/abs`, whereas `ADD test.txt /abs/` creates `/abs/test.txt`. +Trailing slashes are significant. For example, `COPY test.txt /abs` creates a +file at `/abs`, whereas `COPY test.txt /abs/` creates `/abs/test.txt`. If the destination path doesn't begin with a leading slash, it's interpreted as relative to the working directory of the build container. @@ -1559,7 +1636,7 @@ relative to the working directory of the build container. ```dockerfile WORKDIR /usr/src/app # create /usr/src/app/rel/test.txt -ADD test.txt rel/ +COPY test.txt rel/ ``` If destination doesn't exist, it's created, along with all missing directories @@ -1607,8 +1684,7 @@ image or stage that you specify. ### COPY --chown --chmod -> **Note** -> +> [!NOTE] > Only octal notation is currently supported. Non-octal support is tracked in > [moby/buildkit#1951](https://github.com/moby/buildkit/issues/1951). @@ -1646,6 +1722,18 @@ If the container root filesystem doesn't contain either `/etc/passwd` or flag, the build will fail on the `COPY` operation. Using numeric IDs requires no lookup and does not depend on container root filesystem content. +With the Dockerfile syntax version 1.10.0 and later, +the `--chmod` flag supports variable interpolation, +which lets you define the permission bits using build arguments: + +```dockerfile +# syntax=docker/dockerfile:1.10 +FROM alpine +WORKDIR /src +ARG MODE=440 +COPY --chmod=$MODE . . +``` + ### COPY --link ```dockerfile @@ -1717,8 +1805,7 @@ conditions for cache reuse. ### COPY --parents -> **Note** -> +> [!NOTE] > Not yet available in stable syntax, use [`docker/dockerfile:1.7-labs`](#syntax) version. ```dockerfile @@ -1775,8 +1862,7 @@ with the `--parents` flag, the Buildkit is capable of packing multiple ### COPY --exclude -> **Note** -> +> [!NOTE] > Not yet available in stable syntax, use [`docker/dockerfile:1.7-labs`](#syntax) version. ```dockerfile @@ -1973,8 +2059,7 @@ user 0m 0.03s sys 0m 0.03s ``` -> **Note** -> +> [!NOTE] > You can override the `ENTRYPOINT` setting using `--entrypoint`, > but this can only set the binary to exec (no `sh -c` will be used). @@ -2081,8 +2166,7 @@ The table below shows what command is executed for different `ENTRYPOINT` / `CMD | **CMD ["exec_cmd", "p1_cmd"]** | exec_cmd p1_cmd | /bin/sh -c exec_entry p1_entry | exec_entry p1_entry exec_cmd p1_cmd | | **CMD exec_cmd p1_cmd** | /bin/sh -c exec_cmd p1_cmd | /bin/sh -c exec_entry p1_entry | exec_entry p1_entry /bin/sh -c exec_cmd p1_cmd | -> **Note** -> +> [!NOTE] > If `CMD` is defined from the base image, setting `ENTRYPOINT` will > reset `CMD` to an empty value. In this scenario, `CMD` must be defined in the > current image to have a value. @@ -2160,8 +2244,7 @@ runtime, runs the relevant `ENTRYPOINT` and `CMD` commands. > Note that when specifying a group for the user, the user will have _only_ the > specified group membership. Any other configured group memberships will be ignored. -> **Warning** -> +> [!WARNING] > When the user doesn't have a primary group then the image (or the next > instructions) will be run with the `root` group. > @@ -2229,8 +2312,7 @@ The `ARG` instruction defines a variable that users can pass at build-time to the builder with the `docker build` command using the `--build-arg =` flag. -> **Warning** -> +> [!WARNING] > It isn't recommended to use build arguments for passing secrets such as > user credentials, API tokens, etc. Build arguments are visible in the > `docker history` command and in `max` mode provenance attestations, diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md index 0508c34de9..bd22a77db9 100644 --- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md @@ -20,6 +20,9 @@ the rules. To run a check, use the `--check` flag: $ docker build --check . ``` +To learn more about how to use build checks, see +[Checking your build configuration](https://docs.docker.com/build/checks/). + @@ -97,7 +100,7 @@ $ docker build --check . - + diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md index 7a71136358..fd16896131 100644 --- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md @@ -5,6 +5,10 @@ aliases: - /go/dockerfile/rule/copy-ignored-file/ --- +> [!NOTE] +> This check is experimental and is not enabled by default. To enable it, see +> [Experimental checks](https://docs.docker.com/go/build-checks-experimental/). + ## Output ```text diff --git a/go.mod b/go.mod index 81c7b3f091..9deb72a080 100644 --- a/go.mod +++ b/go.mod @@ -18,6 +18,6 @@ replace ( github.com/docker/cli => github.com/docker/cli v27.2.2-0.20240909090509-65decb573126+incompatible github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.29.2 github.com/docker/scout-cli => github.com/docker/scout-cli v1.13.0 - github.com/moby/buildkit => github.com/moby/buildkit v0.15.1 + github.com/moby/buildkit => github.com/moby/buildkit v0.16.0 github.com/moby/moby => github.com/moby/moby v27.2.1+incompatible ) diff --git a/go.sum b/go.sum index e60c544453..5c2a2d3d3e 100644 --- a/go.sum +++ b/go.sum @@ -288,6 +288,8 @@ github.com/moby/buildkit v0.14.0-rc2.0.20240611065153-eed17a45c62b h1:n06ACmuRYP github.com/moby/buildkit v0.14.0-rc2.0.20240611065153-eed17a45c62b/go.mod h1:1XssG7cAqv5Bz1xcGMxJL123iCv5TYN4Z/qf647gfuk= github.com/moby/buildkit v0.15.1 h1:J6wrew7hphKqlq1wuu6yaUb/1Ra7gEzDAovylGztAKM= github.com/moby/buildkit v0.15.1/go.mod h1:Yis8ZMUJTHX9XhH9zVyK2igqSHV3sxi3UN0uztZocZk= +github.com/moby/buildkit v0.16.0 h1:wOVBj1o5YNVad/txPQNXUXdelm7Hs/i0PUFjzbK0VKE= +github.com/moby/buildkit v0.16.0/go.mod h1:Xqx/5GlrqE1yIRORk0NSCVDFpQAU1WjlT6KHYZdisIQ= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/moby v24.0.2+incompatible h1:yH+5dRHH1x3XRKzl1THA2aGTy6CHYnkt5N924ADMax8= github.com/moby/moby v24.0.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
FROM --platform flag should not use a constant value
CopyIgnoredFileCopyIgnoredFile (experimental) Attempting to Copy file that is excluded by .dockerignore