Maniphest T329220

buildkitd: Require use of the blubber frontend when running on trusted runners.
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dancy
	Feb 8 2023, 6:39 PM

Tags

Referenced Files

None

Subscribers

Description

In a call to buildctl you can specify the frontend which is used to generate the build graph. For example, to build with blubber-buildkit:

buildctl build  --frontend=gateway.v0 --opt source=docker-registry.wikimedia.org/repos/releng/blubber/buildkit:v0.16.0 ...

or to build with a Dockerfile:

# Two forms
buildctl build  --frontend=gateway.v0 --opt source=docker/dockerfile ...
# or
buildctl build  --frontend=dockerfile.v0  ...

For Gitlab CI jobs running on trusted runners, we want buildkitd to enforce use of the blubber frontend.

Details

	Subject	Repo	Branch	Lines +/-
	Fix buildkitd.toml.erb	operations/puppet	production	+2 -2
	Restrict buildkitd frontend gateway and allowed sourced on trusted runners	operations/puppet	production	+27 -7
	Use buildkit wmf-v0.11-8 on WMCS and trusted runners	operations/puppet	production	+3 -3

Customize query in gerrit

	Title	Reference	Author	Source Branch	Dest Branch
	buildkitd: Add ability to restrict frontends and gateway sources	repos/releng/buildkit!46	dancy	wmf/v0.12-If6519d9b16f636d40b445e42c58d21b38d4b666e	wmf/v0.12
	Use kokkuri image v1.8.0	repos/releng/kokkuri!81	dancy	use-v1.8.0	main
	Remove build frontend restrictions from kokkuri	repos/releng/kokkuri!80	dancy	review/dancy/remove-frontend-restrictions	main
	use buildkit image tag wmf-v0.11-8	repos/releng/gitlab-cloud-runner!241	dancy	review/dancy/use-buildkit-wmf-v0.11-8	main
	buildkitd: Add ability to restrict frontends and gateway sources	repos/releng/buildkit!40	dancy	review/dancy/restrictions	wmf/v0.11

Customize query in GitLab

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		None	T326569 Kokkuri should allow dockerfile.v0 frontend
		Resolved		dancy	T329220 buildkitd: Require use of the blubber frontend when running on trusted runners.

Event Timeline

dancy created this task.Feb 8 2023, 6:39 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 8 2023, 6:39 PM

dancy added a parent task: T326569: Kokkuri should allow dockerfile.v0 frontend.Feb 8 2023, 6:41 PM

thcipriani edited projects, added Release-Engineering-Team (GitLab V: Event Horizon 🌄); removed Release-Engineering-Team.Feb 13 2023, 6:46 PM

brennen moved this task from Inbox to CI & Job Runners on the GitLab board.Feb 15 2023, 4:47 PM

brennen edited projects, added GitLab (CI & Job Runners); removed GitLab.

thcipriani assigned this task to • demon.Apr 6 2023, 4:52 PM

thcipriani edited projects, added Release-Engineering-Team (They Live 🕶️🧟); removed Release-Engineering-Team (GitLab V: Event Horizon 🌄).May 10 2023, 3:59 PM

• demon moved this task from Backlog to Ready on the Release-Engineering-Team (They Live 🕶️🧟) board.May 31 2023, 4:01 PM

thcipriani removed • demon as the assignee of this task.Jun 9 2023, 8:31 PM

thcipriani added a subscriber: • demon.

dancy opened https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/40

buildkitd: Add ability to restrict frontends and gateway sources

CodeReviewBot added a project: Patch-For-Review.Jun 12 2023, 6:30 PM

jeena moved this task from Ready to Waiting for review on the Release-Engineering-Team (They Live 🕶️🧟) board.Jun 12 2023, 9:04 PM

dancy claimed this task.Jun 16 2023, 4:15 PM

dancy triaged this task as Medium priority.

dancy merged https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/40

buildkitd: Add ability to restrict frontends and gateway sources

Maintenance_bot removed a project: Patch-For-Review.Jul 17 2023, 8:30 PM

dancy opened https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/241

use buildkit image tag wmf-v0.11-8

dancy merged https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/241

use buildkit image tag wmf-v0.11-8

Change 938931 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/puppet@production] Use buildkit wmf-v0.11-8 on WMCS and trusted runners

https://gerrit.wikimedia.org/r/938931

Change 938939 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/puppet@production] Restrict buildkitd frontend gateway and allowed sourced on trusted runners

https://gerrit.wikimedia.org/r/938939

Change 938931 merged by RLazarus:

[operations/puppet@production] Use buildkit wmf-v0.11-8 on WMCS and trusted runners

https://gerrit.wikimedia.org/r/938931

Change 938939 merged by RLazarus:

[operations/puppet@production] Restrict buildkitd frontend gateway and allowed sourced on trusted runners

https://gerrit.wikimedia.org/r/938939

Maintenance_bot removed a project: Patch-For-Review.Jul 18 2023, 4:31 PM

dancy opened https://gitlab.wikimedia.org/repos/releng/gitlab-runner-test/-/merge_requests/8

.gitlab-ci.yml: Try using disallowed frontends

dancy closed https://gitlab.wikimedia.org/repos/releng/gitlab-runner-test/-/merge_requests/8

.gitlab-ci.yml: Try using disallowed frontends

Maintenance_bot removed a project: Patch-For-Review.Jul 18 2023, 7:30 PM

buildkitd frontend enforcement has been deployed to trusted runners and tested.

dancy opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/80

Remove build frontend restrictions from kokkuri

Change 939730 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/puppet@production] Fix buildkitd.toml.erb

https://gerrit.wikimedia.org/r/939730

Change 939730 merged by EoghanGaffney:

[operations/puppet@production] Fix buildkitd.toml.erb

https://gerrit.wikimedia.org/r/939730

dancy merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/80

Remove build frontend restrictions from kokkuri

dancy opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/81

Use kokkuri image v1.8.0

dancy merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/81

Use kokkuri image v1.8.0

dancy closed this task as Resolved.Jul 25 2023, 4:13 PM

Maintenance_bot removed a project: Patch-For-Review.Jul 25 2023, 4:30 PM

dancy moved this task from Waiting for review to Done on the Release-Engineering-Team (They Live 🕶️🧟) board.Jul 26 2023, 5:00 PM

dancy opened https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/46

buildkitd: Add ability to restrict frontends and gateway sources

dancy merged https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/46

buildkitd: Add ability to restrict frontends and gateway sources