zenfyr.dev
hello, i suppose this is less of an issue and more of a question, but i was wondering if it's possible to build oci images on a tangled spindle?
spindle doesn't seem to expose a docker socket and simply installing docker/podman/buildah from nix repos fails with various security exceptions. tbh i'm not smart enough to figure those out :P
so, as an update. in my tests, locally with rootless podman, this seems to happen because ci containers have all their caps dropped. adding CAP_CHOWN, CAP_FOWNER, CAP_SETUID, CAP_SETGID seems to make images (that i've tried, including mastodon, knot, appviewlite) build correctly with kaniko
tangled.org
anirudh.fi
www.zenfyr.dev
This is a bit tricky to do using Docker itself since it requires the daemon (or the host docker.sock which isn't great for security). One option for now could be to use nix/buildah to build the OCI image? Granted I haven't personally tried this yet.
I'll give it a go โ and see what those security exceptions are about as well.