After update to version 2.7.1 buildx plugin stopped working

[steinhobelgruen]

Component

agent

Describe the bug

After updating both the server and the agent to version 2.7.1 all steps using the woodpeckerci/plugin-docker-buildx stopped working. The docker build would not start:

+ coredns -conf /etc/coredns/Corefile
+ /usr/local/bin/dockerd --data-root /var/lib/docker --host=unix:///var/run/docker.sock --dns 172.17.0.2
Detected registry credentials
+ /usr/local/bin/docker version
Client:
 Version:           27.1.2
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
 API version:       1.46
 Go version:        go1.21.13
 Git commit:        d01f264
 Built:             Mon Aug 12 11:49:34 2024
 OS/Arch:           linux/amd64
 Context:           default
time="2024-09-07T16:16:31Z" level=error msg="execution failed: exit status 1"

Switching back to 2.7.0 fixed the problem.

Steps to reproduce

• Update to 2.7.1.
• Run any pipeline with image: woodpeckerci/plugin-docker-buildx

Expected behavior

No response

System Info

{"source":"https://github.com/woodpecker-ci/woodpecker","version":"2.7.1"}

(running on ubuntu 22.04LTS with docker 24.0.7)

Additional context

No response

Validations

• [X] Read the docs.
• [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• [X] Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]

[qwerty287]

Some questions:

1. What's in your WOODPECKER_ESCALATE
2. Do you get any warnings for the pipeline?
3. Can you post the YAML of the step?

[6543]

well by default it should be allowed:

https://github.com/woodpecker-ci/woodpecker/blob/324ab4ac89758f994b32923b072d02e6c8dfb797/shared/constant/constant.go#L22-L23

[6543]

If you have changed the default privileged plugins and added a tag, now the tag is respected so it must match to be privileged:

https://github.com/woodpecker-ci/woodpecker/pull/4076

[qwerty287]

@steinhobelgruen are you using the secrets yaml key on the step?

[steinhobelgruen]

Since it happens with all pipelines I can just copy a very short one completely:

steps:
  docker-build:
    secrets: [docker_username, docker_password]
    image: woodpeckerci/plugin-docker-buildx
    settings:
      repo: dentaku/postfix
      tags:
        - latest
        - v0.1
      auto-tag: true
      platforms: [linux/amd64, linux/arm64]

With 2.7.0 I get no warnings on this pipeline at all, 2.7.1 on the other hand complains:

[linter] docker: steps.docker-build Should not configure both secrets and settings [linter] docker: steps Must validate one and only one schema (oneOf) [linter] docker: steps.docker-build Must validate one and only one schema (oneOf) [linter] docker: steps.docker-build Additional property secrets is not allowed [bad_habit] docker: steps.docker-build Please set an event filter for all steps or the whole workflow on all items of the when block

So I probably should change something about the secrets handling now, but that doesn't explain why even docker version fails, and it also doesn't explain why it fails with a timeout.

(I have no idea what WOODPECKER_ESCALATE is)

[steinhobelgruen]

Ah, I found WOODPECKER_ESCALATE in the documentation. I haven't set that to anything, so it should be on default.

[qwerty287]

You're using secrets. That's forbidden for security reasons. While it was possible to use it before, it never was documented that this is possible.

Adding secrets means that this is not treated as plugin internally anymore and therefore it won't get privileged which is required to access the docker daemon. Thus it also can't run docker version.

Instead, use settings with from_secret.

steps:
  docker-build:
    image: woodpeckerci/plugin-docker-buildx
    settings:
      ...
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password

[steinhobelgruen]

Thanks, that works, I'll close the issue.

But:

While it was possible to use it before, it never was documented that this is possible.

Yes, it is documented exactly like that here: https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands

[6543]

@steinhobelgruen yes for commands

You use a plugin witch has no commands ;)

[6543]

But i agree the docs should be improved ...

[6543]

@steinhobelgruen would https://github.com/woodpecker-ci/woodpecker/pull/4099 have clarifyed it for you?

[steinhobelgruen]

@steinhobelgruen would #4099 have clarifyed it for you?

A lot. :-)