JohnHammond
/
buildkit
mirror of https://github.com/JohnHammond/buildkit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

unfork newuidmap/newgidmap 

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
docker-18.09
Akihiro Suda 2018-10-29 15:59:44 +09:00
parent c168fad47f
commit 3a7209cde2
2 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
hack/dockerfiles/test.Dockerfile
View File

@ -149,12 +149,17 @@ VOLUME /var/lib/containerd
VOLUME /run/containerd
ENTRYPOINT ["containerd"]
# Apply https://github.com/shadow-maint/shadow/pull/132 so that we don't need CAP_SYS_ADMIN for newuidmap/newgidmap
# To allow running buildkit in a container without CAP_SYS_ADMIN, we need to do either
# a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14)
# b) install newuidmap/newgidmap >= 20181028
# We choose b) until kernel >= 4.14 gets widely adopted.
# See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138
# (Note: we don't use the patched idmap for the testsuite image)
FROM alpine:3.8 AS idmap
RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe/shadow.git /shadow && cd /shadow )
RUN git clone https://github.com/shadow-maint/shadow.git /shadow
WORKDIR /shadow
RUN git checkout 42324e501768675993235e03f7e4569135802d18
RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
&& make \
&& cp src/newuidmap src/newgidmap /usr/bin

9
hack/dockerfiles/test.buildkit.Dockerfile
View File

@ -203,12 +203,17 @@ COPY --from=containerd /out/containerd* /usr/bin/
COPY --from=binaries / /usr/bin/
COPY . .
# Apply https://github.com/shadow-maint/shadow/pull/132 so that we don't need CAP_SYS_ADMIN for newuidmap/newgidmap
# To allow running buildkit in a container without CAP_SYS_ADMIN, we need to do either
# a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14)
# b) install newuidmap/newgidmap >= 20181028
# We choose b) until kernel >= 4.14 gets widely adopted.
# See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138
# (Note: we don't use the patched idmap for the testsuite image)
FROM alpine:3.8 AS idmap
RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe/shadow.git /shadow && cd /shadow )
RUN git clone https://github.com/shadow-maint/shadow.git /shadow
WORKDIR /shadow
RUN git checkout 42324e501768675993235e03f7e4569135802d18
RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
&& make \
&& cp src/newuidmap src/newgidmap /usr/bin