diff --git a/commands/build.go b/commands/build.go index 30565fe6e166..bdbed6d0ad80 100644 --- a/commands/build.go +++ b/commands/build.go @@ -502,7 +502,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugger debuggerOpt flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`) - flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`) + flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure", "device")`) flags.StringArrayVarP(&options.annotations, "annotation", "", []string{}, "Add annotation to the image") diff --git a/docs/reference/buildx_bake.md b/docs/reference/buildx_bake.md index 87384f8ced3c..3f0e97b58aea 100644 --- a/docs/reference/buildx_bake.md +++ b/docs/reference/buildx_bake.md @@ -65,7 +65,7 @@ entitlements, making it clear when a build or bake operation requires elevated privileges. In addition to BuildKit's `network.host` and `security.insecure` entitlements -(see [`docker buildx build --allow`](https://docs.docker.com/reference/cli/docker/buildx/build/#allow), +(see [`docker buildx build --allow`](https://docs.docker.com/reference/cli/docker/buildx/build/#allow)), Bake supports file system entitlements that grant granular control over file system access. These are particularly useful when working with builds that need access to files outside the default working directory. diff --git a/docs/reference/buildx_build.md b/docs/reference/buildx_build.md index 94305d3d5e4c..464a71523173 100644 --- a/docs/reference/buildx_build.md +++ b/docs/reference/buildx_build.md @@ -16,7 +16,7 @@ Start a build | Name | Type | Default | Description | |:----------------------------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------| | [`--add-host`](#add-host) | `stringSlice` | | Add a custom host-to-IP mapping (format: `host:ip`) | -| [`--allow`](#allow) | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | +| [`--allow`](#allow) | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`, `device`) | | [`--annotation`](#annotation) | `stringArray` | | Add annotation to the image | | [`--attest`](#attest) | `stringArray` | | Attestation parameters (format: `type=sbom,generator=image`) | | [`--build-arg`](#build-arg) | `stringArray` | | Set build-time variables | @@ -173,6 +173,10 @@ Allow extra privileged entitlement. List of entitlements: - `network.host` - Allows executions with host networking. - `security.insecure` - Allows executions without sandbox. See [related Dockerfile extensions](https://docs.docker.com/reference/dockerfile/#run---security). +- `device` - Allows access to Container Device Interface (CDI) devices. + - `--allow device` - Grants access to all devices. + - `--allow device=kind|name` - Grants access to a specific device. + - `--allow device=kind|name,alias=kind|name` - Grants access to a specific device, with optional aliasing. For entitlements to be enabled, the BuildKit daemon also needs to allow them with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)). diff --git a/docs/reference/buildx_dap_build.md b/docs/reference/buildx_dap_build.md index da8f3ff416b8..8d041661c1b6 100644 --- a/docs/reference/buildx_dap_build.md +++ b/docs/reference/buildx_dap_build.md @@ -8,7 +8,7 @@ Start a build | Name | Type | Default | Description | |:--------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------| | `--add-host` | `stringSlice` | | Add a custom host-to-IP mapping (format: `host:ip`) | -| `--allow` | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | +| `--allow` | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`, `device`) | | `--annotation` | `stringArray` | | Add annotation to the image | | `--attest` | `stringArray` | | Attestation parameters (format: `type=sbom,generator=image`) | | `--build-arg` | `stringArray` | | Set build-time variables | diff --git a/docs/reference/buildx_debug_build.md b/docs/reference/buildx_debug_build.md index ee3594804c67..6d363df9ca6b 100644 --- a/docs/reference/buildx_debug_build.md +++ b/docs/reference/buildx_debug_build.md @@ -12,7 +12,7 @@ Start a build | Name | Type | Default | Description | |:--------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------| | `--add-host` | `stringSlice` | | Add a custom host-to-IP mapping (format: `host:ip`) | -| `--allow` | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | +| `--allow` | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`, `device`) | | `--annotation` | `stringArray` | | Add annotation to the image | | `--attest` | `stringArray` | | Attestation parameters (format: `type=sbom,generator=image`) | | `--build-arg` | `stringArray` | | Set build-time variables |