Skip to content

Commit f094c88

Browse files
dash14dash14
committed
Replace ASCII art diagrams with PNG images in README
1 parent b66c741 commit f094c88

File tree

3 files changed

+2
-49
lines changed

3 files changed

+2
-49
lines changed

README.md

Lines changed: 2 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -22,24 +22,7 @@ buildcage solves this by restricting outbound network access during builds to on
2222

2323
buildcage runs as a [remote driver](https://docs.docker.com/build/builders/drivers/remote/) for Docker Buildx. All `RUN` step containers are placed on an isolated network, and outbound traffic is routed through a proxy that enforces your allowlist.
2424

25-
```text
26-
┌─ Docker Buildx (remote driver) ───────────────────────────┐
27-
│ │
28-
│ buildcage container │
29-
│ ┌─────────────────────────────────────────────────────┐ │
30-
│ │ │ │
31-
│ │ buildkitd ──→ internet (image pull only) │ │
32-
│ │ │ │
33-
│ │ ┌─────────────────┐ ┌───────────────────────┐ │ │
34-
│ │ │ RUN step │───→│ Proxy (nginx) │ │ │
35-
│ │ │ (isolated net) │ │ │ │ │
36-
│ │ │ npm install, │ │ allowed domain? │ │ │
37-
│ │ │ apt-get, etc. │ │ Yes → internet │ │ │
38-
│ │ └─────────────────┘ │ No → blocked+logged │ │ │
39-
│ │ └───────────────────────┘ │ │
40-
│ └─────────────────────────────────────────────────────┘ │
41-
└───────────────────────────────────────────────────────────┘
42-
```
25+
<img src="assets/diagram-overview.png" alt="How buildcage works" width="544" height="328">
4326

4427
- HTTPS: SNI (Server Name Indication) for domain matching — TLS is not terminated
4528
- HTTP: Host header for domain matching
@@ -331,37 +314,7 @@ buildcage creates a controlled network environment for your Docker builds:
331314

332315
### Architecture Diagram
333316

334-
```text
335-
┌──────────────────────────────────────────────────────────────────┐
336-
│ Builder container (privileged, single container) │
337-
│ │
338-
│ ┌──────────────────────────┐ │
339-
│ │ buildkitd (PID 1) │──→ internet (image pull) │
340-
│ │ --oci-worker-net=cni │ │
341-
│ └──────────────────────────┘ │
342-
│ │
343-
│ ┌──────────────────────────┐ ┌──────────────────────────────┐ │
344-
│ │ dnsmasq │ │ nginx │ │
345-
│ │ all domains → 172.20.0.1 │ │ HTTP proxy (port 80) │ │
346-
│ │ port 53 │ │ HTTPS stream proxy (port 443)│ │
347-
│ └──────────────────────────┘ │ Allow/Block based on │ │
348-
│ ↑ │ SNI (HTTPS) / Host (HTTP) │ │
349-
│ │ DNS │ ↓ │ │
350-
│ │ │ internet (allowed domains) │ │
351-
│ │ └──────────────────────────────┘ │
352-
│ ···········│·· buildkit0 bridge (172.20.0.1) ··················│
353-
│ │ ↑ │
354-
│ ┌───────────┴────────────────────┴────────┐ │
355-
│ │ RUN Step containers (CNI isolated-net) │ │
356-
│ │ IP: 172.20.0.100 - 172.20.0.200 │ │
357-
│ │ │ │
358-
│ │ DNS → 172.20.0.1:53 (dnsmasq) │ │
359-
│ │ HTTP/HTTPS → 172.20.0.1 (nginx) │ │
360-
│ │ Other traffic → blocked (iptables) │ │
361-
│ └─────────────────────────────────────────┘ │
362-
└──────────────────────────────────────────────────────────────────┘
363-
```
364-
317+
<img src="assets/diagram-architecture.png" alt="buildcage architecture" width="611" height="544">
365318

366319
All containers spawned by BuildKit `RUN` steps are placed on an isolated network (CNI). DNS queries are redirected to the proxy IP, and the proxy checks each request's SNI (HTTPS) or Host header (HTTP) against the allowlist before forwarding or blocking.
367320

assets/diagram-architecture.png

84 KB
Loading

assets/diagram-overview.png

39.5 KB
Loading

0 commit comments

Comments
 (0)