unfork newuidmap/newgidmap
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>docker-18.09
parent
c168fad47f
commit
3a7209cde2
|
@ -149,12 +149,17 @@ VOLUME /var/lib/containerd
|
||||||
VOLUME /run/containerd
|
VOLUME /run/containerd
|
||||||
ENTRYPOINT ["containerd"]
|
ENTRYPOINT ["containerd"]
|
||||||
|
|
||||||
# Apply https://github.com/shadow-maint/shadow/pull/132 so that we don't need CAP_SYS_ADMIN for newuidmap/newgidmap
|
# To allow running buildkit in a container without CAP_SYS_ADMIN, we need to do either
|
||||||
|
# a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14)
|
||||||
|
# b) install newuidmap/newgidmap >= 20181028
|
||||||
|
# We choose b) until kernel >= 4.14 gets widely adopted.
|
||||||
|
# See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138
|
||||||
# (Note: we don't use the patched idmap for the testsuite image)
|
# (Note: we don't use the patched idmap for the testsuite image)
|
||||||
FROM alpine:3.8 AS idmap
|
FROM alpine:3.8 AS idmap
|
||||||
RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
|
RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
|
||||||
RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe/shadow.git /shadow && cd /shadow )
|
RUN git clone https://github.com/shadow-maint/shadow.git /shadow
|
||||||
WORKDIR /shadow
|
WORKDIR /shadow
|
||||||
|
RUN git checkout 42324e501768675993235e03f7e4569135802d18
|
||||||
RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
|
RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
|
||||||
&& make \
|
&& make \
|
||||||
&& cp src/newuidmap src/newgidmap /usr/bin
|
&& cp src/newuidmap src/newgidmap /usr/bin
|
||||||
|
|
|
@ -203,12 +203,17 @@ COPY --from=containerd /out/containerd* /usr/bin/
|
||||||
COPY --from=binaries / /usr/bin/
|
COPY --from=binaries / /usr/bin/
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Apply https://github.com/shadow-maint/shadow/pull/132 so that we don't need CAP_SYS_ADMIN for newuidmap/newgidmap
|
# To allow running buildkit in a container without CAP_SYS_ADMIN, we need to do either
|
||||||
|
# a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14)
|
||||||
|
# b) install newuidmap/newgidmap >= 20181028
|
||||||
|
# We choose b) until kernel >= 4.14 gets widely adopted.
|
||||||
|
# See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138
|
||||||
# (Note: we don't use the patched idmap for the testsuite image)
|
# (Note: we don't use the patched idmap for the testsuite image)
|
||||||
FROM alpine:3.8 AS idmap
|
FROM alpine:3.8 AS idmap
|
||||||
RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
|
RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
|
||||||
RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe/shadow.git /shadow && cd /shadow )
|
RUN git clone https://github.com/shadow-maint/shadow.git /shadow
|
||||||
WORKDIR /shadow
|
WORKDIR /shadow
|
||||||
|
RUN git checkout 42324e501768675993235e03f7e4569135802d18
|
||||||
RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
|
RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
|
||||||
&& make \
|
&& make \
|
||||||
&& cp src/newuidmap src/newgidmap /usr/bin
|
&& cp src/newuidmap src/newgidmap /usr/bin
|
||||||
|
|
Loading…
Reference in New Issue