Add support for docker buildx to liberty:devc

[edburns]

My employer has a requirement that any public Dockerfile files we produce do not have FROM clauses that refer to images not produced or approved by my employer. This requirement is enforced with a security GitHub pipeline such as here. The output is similar to the following.

Container security analysis found 2 violations. This repo has one or more docker files having references to images from external
registries.

The Dockerfile in question has this FROM clause:

FROM icr.io/appcafe/open-liberty:kernel-java8-openj9-ubi

The recommended guidance is to use docker buildx build --build-context. This would allow us to change the Dockerfile FROM line to be:

FROM openliberty

And then invoke the build like this:

$  docker buildx build --build-context openliberty=docker-image://icr.io/appcafe/open-liberty:kernel-java8-openj9-ubi

There does not seem to be support for this in liberty:devc. There is support for a dockerBuildContext parameter but that's just a directory name.

Please consider this feature.

[edburns]

Internal tracker: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/1614067

[TrevCraw]

@edburns Thank you for this feature suggestion! We are interested in this idea and we would like to explore it further to see if we can support it.

[cherylking]

This recently came up in discussion with another customer. So I want to update with some current info and observations.

It looks like Docker is moving away from the classic builder and moving towards using the BuildKit by default. This link does a good job of explaining current behavior and what the following messages mean:

Since the “buildx” enabled features are now available through the base docker build command as of Docker v23.0, it will make it easier for us to support this in our plugins. It is still required for users to explicitly set DOCKER_BUILDKIT=1 to use the BuildKit. Eventually, users will be forced to use the BuildKit, so at some point the fallback to the classic builder will not work. The docs do not specify if setting DOCKER_BUILDKIT=1 will still be required at that point.

Important caveat: BuildKit does not (yet) provide support for building Windows images, and docker build continues to use the classic builder to build native Windows images on Windows daemons.

Questions:

1. Will devc have the original issue reported when using the BuildKit by default: Docker build output logged as ERROR when run liberty:devc on Win VM #1045
2. Will devc have any other issues with using the BuildKit by default. This will require some testing/experimentation (with Docker explicitly).

If the above considerations are not a problem, then we should be in pretty good shape. We will need to eventually remove the code to set DOCKER_BUILDKIT=0 when that is no longer an available setting (the docs don't have a removal date for this yet). We would also need to provide a way for the end user to specify the build options for --build-context, perhaps a new containerBuildOpts that is a List<String>. This is so each option can be specified individually on the ProcessBuilder that ultimately runs the command, which ensures proper processing for things like spaces in paths.