From a8c48ffbbb14bb46e1f8ae3c69e223d979c2660a Mon Sep 17 00:00:00 2001 From: Connor Braa <3478454+cwlbraa@users.noreply.github.com> Date: Fri, 13 Dec 2024 04:20:20 -0800 Subject: [PATCH 1/3] docs: bump dagger-for-github to v7 (#9192) --- docs/current_docs/integrations/snippets/github-ghcr.yml | 2 +- docs/current_docs/integrations/snippets/github-hello.yml | 2 +- docs/current_docs/integrations/snippets/github-test-build.yml | 4 ++-- .../integrations/snippets/google-cloud-run/main.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/current_docs/integrations/snippets/github-ghcr.yml b/docs/current_docs/integrations/snippets/github-ghcr.yml index ab159cea390..e703d98bf6e 100644 --- a/docs/current_docs/integrations/snippets/github-ghcr.yml +++ b/docs/current_docs/integrations/snippets/github-ghcr.yml @@ -14,7 +14,7 @@ jobs: uses: actions/checkout@v4 - name: Call Dagger Function to build and publish to ghcr.io - uses: dagger/dagger-for-github@v6 + uses: dagger/dagger-for-github@v7 with: version: "latest" verb: call diff --git a/docs/current_docs/integrations/snippets/github-hello.yml b/docs/current_docs/integrations/snippets/github-hello.yml index e14826c243c..8761bbe8cef 100644 --- a/docs/current_docs/integrations/snippets/github-hello.yml +++ b/docs/current_docs/integrations/snippets/github-hello.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Call Dagger Function - uses: dagger/dagger-for-github@v6 + uses: dagger/dagger-for-github@v7 with: version: "latest" verb: call diff --git a/docs/current_docs/integrations/snippets/github-test-build.yml b/docs/current_docs/integrations/snippets/github-test-build.yml index aa7a5a4502c..b788edb9cc4 100644 --- a/docs/current_docs/integrations/snippets/github-test-build.yml +++ b/docs/current_docs/integrations/snippets/github-test-build.yml @@ -11,7 +11,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Test - uses: dagger/dagger-for-github@v6 + uses: dagger/dagger-for-github@v7 with: version: "latest" verb: call @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Call Dagger Function - uses: dagger/dagger-for-github@v6 + uses: dagger/dagger-for-github@v7 with: version: "latest" verb: call diff --git a/docs/current_docs/integrations/snippets/google-cloud-run/main.yml b/docs/current_docs/integrations/snippets/google-cloud-run/main.yml index ea05b2d6d42..1215581d322 100644 --- a/docs/current_docs/integrations/snippets/google-cloud-run/main.yml +++ b/docs/current_docs/integrations/snippets/google-cloud-run/main.yml @@ -12,7 +12,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Call Dagger Function - uses: dagger/dagger-for-github@v6 + uses: dagger/dagger-for-github@v7 with: version: "0.11.5" verb: call From 4539614d43e748b89f5cab960ba34972c2b13ce4 Mon Sep 17 00:00:00 2001 From: vikram-dagger <112123850+vikram-dagger@users.noreply.github.com> Date: Fri, 13 Dec 2024 21:54:17 +0530 Subject: [PATCH 2/3] docs: Remove transferred content from op manual (#9105) Signed-off-by: Vikram Vaswani --- core/docs/d7yxc-operator_manual.md | 108 ----------------------------- 1 file changed, 108 deletions(-) diff --git a/core/docs/d7yxc-operator_manual.md b/core/docs/d7yxc-operator_manual.md index 31281767493..64c916c012b 100644 --- a/core/docs/d7yxc-operator_manual.md +++ b/core/docs/d7yxc-operator_manual.md @@ -79,16 +79,6 @@ It's typically run persistently, as opposed to sessions which only last for the ## FAQ -### What are the steps for using a custom runner? - -There are more [details](#runner-details) worth reviewing, but the consolidated steps are: - -1. Determine the runner version required by checking the release notes of the SDK you intend to use. -1. If changes to the base image are needed, make those and push them somewhere. If no changes are needed, just use it as is. -1. Start the runner image in your target of choice, keeping the [requirements](#execution-requirements) and [configuration](#configuration) in mind. -1. Export the `_EXPERIMENTAL_DAGGER_RUNNER_HOST` environment variable with [a value pointing to your target](#connection-interface). -1. Call `dagger run` or execute SDK code directly with that environment variable set. - ### What compatibility is there between SDK, CLI and Runner versions? This is only needed if you are using a custom provisioned runner or a pre-installed CLI. If you are just using an SDK directly a CLI and runner will be provisioned automatically at compatible versions. @@ -120,104 +110,6 @@ It is possible to use userspace TCP/IP implementations such as [slirp](https://g Newer options for more performant userspace network stacks have arisen in recent years, but they are generally either reliant on relatively recent kernel versions or in a nascent stage that would require significant validation around robustness+security. -## Runner Details - -### Execution Requirements - -1. The runner container currently needs root capabilities, including among others `CAP_SYS_ADMIN`, in order to execute pipelines. - - For example, this will be granted when using the `--privileged` flag of `docker run`. - - There is an issue for [supporting rootless execution](https://github.com/dagger/dagger/issues/1287). -1. The runner container should be given a volume at `/var/lib/dagger`. - - Otherwise runner execution may be extremely slow. This is due to the fact that it relies on overlayfs mounts for efficient operation, which isn't possible when `/var/lib/dagger` is itself an overlayfs. - - For example, this can be provided to a `docker run` command as `-v dagger-engine:/var/lib/dagger` -1. The container image comes with a default entrypoint which should be used to start the runner, no extra args are needed. -1. The container image comes with a default config file at `/etc/dagger/engine.toml` - - The `insecure-entitlements = ["security.insecure"]` setting enables use of the `InsecureRootCapabilities` flag in `WithExec`. Removing that line will result in an error when trying to use that flag. - -### Configuration - -Right now very few configuration knobs are supported as we are still working out the best interface for exposing them. - -Currently supported is: - -#### Custom CA Certs - -If you need any extra CA certs to be included in order to, e.g. push images to a private registry, they can be included under `/etc/ssl/certs` in the runner image. - -This can be accomplished by building a custom engine image using ours as a base or by mounting them into a container created from our image at runtime. - -#### Disabling Privileged Execs - -By default, the Dagger engine allows execs to run with root capabilities when the `InsecureRootCapabilities` field is set to true in the `WithExec` API. - -This can be disabled by overriding the default engine config at `/etc/dagger/engine.toml` to remove the line `insecure-entitlements = ["security.insecure"]` - -#### Registry Mirrors - -If you want to use a registry mirror, you can append the configuration to `/etc/dagger/engine.toml` using this format: - -```toml -[registry."docker.io"] - mirrors = ["mirror.gcr.io"] -``` - -You can repeat that for as many registries and mirrors you want, e.g. - -```toml -[registry."docker.io"] - mirrors = ["mirror.a.com", "mirror.b.com"] - -[registry."some.other.registry.com"] - mirrors = ["mirror.foo.com", "mirror.bar.com"] -``` - -### Connection Interface - -After the runner starts up, the CLI needs to connect to it. In the default path, this will all happen automatically. - -However if the `_EXPERIMENTAL_DAGGER_RUNNER_HOST` env var is set, then the CLI will instead connect to the endpoint specified there. It currently accepts values in the following format: - -1. `docker-container://` - Connect to the runner inside the given docker container. - - Requires the docker CLI be present and usable. Will result in shelling out to `docker exec`. -1. `docker-image://` - Start the runner in docker using the provided container image, pulling it locally if needed - - Requires the docker CLI be present and usable. -1. `podman-container://` - Connect to the runner inside the given podman container. -1. `kube-pod://?context=&namespace=&container=` - Connect to the runner inside the given k8s pod. Query strings params like context and namespace are optional. -1. `unix://` - Connect to the runner over the provided unix socket. -1. `tcp://` - Connect to the runner over tcp to the provided addr+port. No encryption will be setup. - -> **Warning** -> Dagger itself does not setup any encryption of data sent on this wire, so it relies on the underlying connection type to implement this when needed. If you are using a connection type that does not layer encryption then all queries and responses will be sent in plaintext over the wire from the CLI to the Runner. - -### Examples - -This example demonstrates how to configure the Dagger Engine to use a different registry mirror for container images instead of the default (Docker Hub) - -1. Create a file named `engine.toml` that contains the registry mirror. - -``` -debug = true -insecure-entitlements = ["security.insecure"] - -[registry."docker.io"] - mirrors = ["mirror.gcr.io"] -``` - -2. Manually starts the engine with the custom `engine.toml`: - -```shell -docker run --rm --name customized-dagger-engine --privileged --volume $PWD/engine.toml:/etc/dagger/engine.toml registry.dagger.io/engine:v0.8.8 -``` - -3. Test the configuration: - -```shell -export _EXPERIMENTAL_DAGGER_RUNNER_HOST=docker-container://customized-dagger-engine -dagger query --progress=plain <<< '{ container { from(address:"hello-world") { stdout } } }' -``` - -You should see the specified `hello-world` container being pulled from the mirror instead of from Docker Hub. - # Appendix These sections have more technical and "under-the-hood" details. From 63636db470c718c3b99e490135990764508f8208 Mon Sep 17 00:00:00 2001 From: Erik Sipsma Date: Fri, 13 Dec 2024 12:21:56 -0800 Subject: [PATCH 3/3] fix "return nil on err" cases and enable related linter (#9199) Happened across an instance of incorrectly returning nil when err was set while working on stuff. This fixes that and enables the nilerr linter for catching these things, which revealed another occurence. As far as I can tell these haven't been actively hurting us most likely (the error cases are extremely unlikely to happen) but worth preventing these spooky typos from happening again going forward. Signed-off-by: Erik Sipsma --- core/directory.go | 2 +- core/modulesource.go | 2 +- engine/sources/httpdns/source.go | 2 +- modules/golangci/lint-config.yml | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/core/directory.go b/core/directory.go index 2e83960a65c..2003eabd408 100644 --- a/core/directory.go +++ b/core/directory.go @@ -135,7 +135,7 @@ func (dir *Directory) SetState(ctx context.Context, st llb.State) error { buildkit.WithPassthrough(), // these spans aren't particularly interesting ) if err != nil { - return nil + return err } dir.LLB = def.ToPB() diff --git a/core/modulesource.go b/core/modulesource.go index a5d0ead971f..b774059ee0f 100644 --- a/core/modulesource.go +++ b/core/modulesource.go @@ -572,7 +572,7 @@ func (src *ModuleSource) ModuleConfig(ctx context.Context) (*modules.ModuleConfi configFile, err := contextDir.Self.File(ctx, filepath.Join(rootSubpath, modules.Filename)) if err != nil { // no configuration for this module yet, so no name - return nil, false, nil + return nil, false, nil //nolint:nilerr } configBytes, err := configFile.Contents(ctx) if err != nil { diff --git a/engine/sources/httpdns/source.go b/engine/sources/httpdns/source.go index 4d890f703bd..9e876a8f759 100644 --- a/engine/sources/httpdns/source.go +++ b/engine/sources/httpdns/source.go @@ -162,7 +162,7 @@ func (hs *httpSourceHandler) CacheKey(ctx context.Context, g session.Group, inde uh, err := hs.urlHash() if err != nil { - return "", "", nil, false, nil + return "", "", nil, false, err } // look up metadata(previously stored headers) for that URL diff --git a/modules/golangci/lint-config.yml b/modules/golangci/lint-config.yml index ea6f772b304..02ef61aca89 100644 --- a/modules/golangci/lint-config.yml +++ b/modules/golangci/lint-config.yml @@ -27,6 +27,7 @@ linters: - unparam - whitespace - gomodguard + - nilerr issues: exclude-rules: