extend container caps #677

merged

opened by

zenfyr.dev 2 months ago targeting master

kaniko (and other docker build tools) require permission to change file ownership to successfully build containers.

i'm leaving this here for consideration, not sure about this security wise,, the better solution would be to use kvm, i think. in our case docker is running in sysbox without privileged: true so it should be fine(??)

options

unified split

Changed files

+1 -1

spindle

engines

nixery

engine.go

+1 -1

spindle/engines/nixery/engine.go

···

       222
       222
        
       		},

     

       223
       223
        
       		ReadonlyRootfs: false,

     

       224
       224
        
       		CapDrop:        []string{"ALL"},

     

       225
       225
       -
       		CapAdd:         []string{"CAP_DAC_OVERRIDE"},

     

       225
       225
       +
       		CapAdd:         []string{"CAP_DAC_OVERRIDE", "CAP_CHOWN", "CAP_FOWNER", "CAP_SETUID", "CAP_SETGID"},

     

       226
       226
        
       		SecurityOpt:    []string{"no-new-privileges"},

     

       227
       227
        
       		ExtraHosts:     []string{"host.docker.internal:host-gateway"},

     

       228
       228
        
       	}, nil, nil, "")