extend container caps #677

merged opened by

zenfyr.dev 5 months ago targeting master

kaniko (and other docker build tools) require permission to change file ownership to successfully build containers.

i'm leaving this here for consideration, not sure about this security wise,, the better solution would be to use kvm, i think. in our case docker is running in sysbox without privileged: true so it should be fine(??)

Labels

None yet.

assignee

None yet.

Participants 3

AT URI

at://did:plc:rjhjcb3rgdsmdr6ykywuh63z/sh.tangled.repo.pull/3m3cgpzdhh222

+1 -1

1 changed file

Diff round #1

expand all

spindle

engines

nixery

engine.go

+1 -1

spindle/engines/nixery/engine.go

··· 222 222 }, 223 223 ReadonlyRootfs: false, 224 224 CapDrop: []string{"ALL"}, 225 - CapAdd: []string{"CAP_DAC_OVERRIDE"}, 225 + CapAdd: []string{"CAP_DAC_OVERRIDE", "CAP_CHOWN", "CAP_FOWNER", "CAP_SETUID", "CAP_SETGID"}, 226 226 SecurityOpt: []string{"no-new-privileges"}, 227 227 ExtraHosts: []string{"host.docker.internal:host-gateway"}, 228 228 }, nil, nil, "")

History

2 rounds 3 comments

zenfyr.dev submitted #1 5mo

interdiff

expand 1 comment

evan.jarrett.net 5mo

As far as I can tell this only works for Kaniko I haven't had much success getting podman or buildah to work. but from a security perspective, I agree, these should be safe. the ones to watch out for are CAP_SYS_ADMIN and SYS_MODULE

pull request successfully merged

zenfyr.dev submitted #0 5mo

diff

expand 2 comments

zenfyr.dev 5mo

merge conflicts detected

okkkkkkkkkkay

oppi.li 5mo

i believe the diff is missing a newline at the end which results in it being a corrupt patch, you can test this out yourself with:

curl https://tangled.org/@tangled.org/core/pulls/677/round/0.patch | git apply