From 3a7209cde217fab6801c14400d753c30cc57af6c Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 29 Oct 2018 15:59:44 +0900 Subject: [PATCH] unfork newuidmap/newgidmap Signed-off-by: Akihiro Suda --- hack/dockerfiles/test.Dockerfile | 9 +++++++-- hack/dockerfiles/test.buildkit.Dockerfile | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/hack/dockerfiles/test.Dockerfile b/hack/dockerfiles/test.Dockerfile index 0a0795a5..dc48392d 100644 --- a/hack/dockerfiles/test.Dockerfile +++ b/hack/dockerfiles/test.Dockerfile @@ -149,12 +149,17 @@ VOLUME /var/lib/containerd VOLUME /run/containerd ENTRYPOINT ["containerd"] -# Apply https://github.com/shadow-maint/shadow/pull/132 so that we don't need CAP_SYS_ADMIN for newuidmap/newgidmap +# To allow running buildkit in a container without CAP_SYS_ADMIN, we need to do either +# a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14) +# b) install newuidmap/newgidmap >= 20181028 +# We choose b) until kernel >= 4.14 gets widely adopted. +# See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138 # (Note: we don't use the patched idmap for the testsuite image) FROM alpine:3.8 AS idmap RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt -RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe/shadow.git /shadow && cd /shadow ) +RUN git clone https://github.com/shadow-maint/shadow.git /shadow WORKDIR /shadow +RUN git checkout 42324e501768675993235e03f7e4569135802d18 RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \ && make \ && cp src/newuidmap src/newgidmap /usr/bin diff --git a/hack/dockerfiles/test.buildkit.Dockerfile b/hack/dockerfiles/test.buildkit.Dockerfile index f303fa22..939648b8 100644 --- a/hack/dockerfiles/test.buildkit.Dockerfile +++ b/hack/dockerfiles/test.buildkit.Dockerfile @@ -203,12 +203,17 @@ COPY --from=containerd /out/containerd* /usr/bin/ COPY --from=binaries / /usr/bin/ COPY . . -# Apply https://github.com/shadow-maint/shadow/pull/132 so that we don't need CAP_SYS_ADMIN for newuidmap/newgidmap +# To allow running buildkit in a container without CAP_SYS_ADMIN, we need to do either +# a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14) +# b) install newuidmap/newgidmap >= 20181028 +# We choose b) until kernel >= 4.14 gets widely adopted. +# See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138 # (Note: we don't use the patched idmap for the testsuite image) FROM alpine:3.8 AS idmap RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt -RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe/shadow.git /shadow && cd /shadow ) +RUN git clone https://github.com/shadow-maint/shadow.git /shadow WORKDIR /shadow +RUN git checkout 42324e501768675993235e03f7e4569135802d18 RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \ && make \ && cp src/newuidmap src/newgidmap /usr/bin