extend container caps #677

merged

opened by

zenfyr.dev 2 months ago targeting master

kaniko (and other docker build tools) require permission to change file ownership to successfully build containers.

i'm leaving this here for consideration, not sure about this security wise,, the better solution would be to use kvm, i think. in our case docker is running in sysbox without privileged: true so it should be fine(??)

submitted by

zenfyr.dev 2mo 2 comments

diff

zenfyr.dev 2 months ago

merge conflicts detected

okkkkkkkkkkay

oppi.li 1 month ago

i believe the diff is missing a newline at the end which results in it being a corrupt patch, you can test this out yourself with:

curl https://tangled.org/@tangled.org/core/pulls/677/round/0.patch | git apply

resubmitted by

zenfyr.dev 1mo 1 comment

diff interdiff

evan.jarrett.net 1 month ago

As far as I can tell this only works for Kaniko I haven't had much success getting podman or buildah to work. but from a security perspective, I agree, these should be safe. the ones to watch out for are CAP_SYS_ADMIN and SYS_MODULE

pull request successfully merged

Labels

None yet.

assignee

None yet.

Participants 3

AT URI

at://did:plc:rjhjcb3rgdsmdr6ykywuh63z/sh.tangled.repo.pull/3m3cgpzdhh222