Commit Graph

14 Commits (be6de5138bf23883f689aa37b57bef76e4b04ad2)

Author SHA1 Message Date
Akihiro Suda b182bcb07e
docs/rootless.md: add instruction for isolating netns
Isolating network namespace with `rootlesskit --net=slirp4netns` is
recommended for protecting localhost sockets and abstract sockets on the host.

This is not meaningful for running rootless buildkitd inside a
container, so slirp4netns is not added in Dockerfile.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-01 17:47:41 +09:00
Akihiro Suda 444d506251
docs/rootless.md: drop support for Debian 9 and Fedora 30
Debian 9 has reached EOL on 2020-07-06: https://wiki.debian.org/DebianReleases
Fedora 30 has reached EOL on 2020-05-26: https://fedoraproject.org/wiki/End_of_life

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-07-27 14:34:56 +09:00
Akihiro Suda 8b56fac46b rootless: graduate from experimental
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-10 12:04:53 +09:00
Akihiro Suda 9f90f5a985 rootless: support fuse-overlayfs
While real overlayfs is available only in Ubuntu and Debian kernels,
fuse-overlayfs is universally available for kernel >= 4.18.

For dockerized deployment, `--device /dev/fuse` needs to be added to
`docker run` flags.

Kubernetes deployment needs a custom device plugin that enables
`/dev/fuse`, e.g. https://github.com/honkiko/k8s-hostdev-plugin

Instead of a device plugin, the device can be also enabled by setting
`securityContext.privileged` to `true`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-03 11:30:29 +09:00
Akihiro Suda 04ba0e64a2 docs for Fedora 31 users
BuildKit with crun works fine on cgroup2 system.
Tested both Rootful and Rootless on Fedora 31, with crun v0.10.2.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-29 15:02:38 +09:00
Akihiro Suda 5938170b84 hack: rename Dockerfiles
Fix https://github.com/moby/buildkit/issues/1208

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-18 17:21:48 +09:00
Akihiro Suda 1bde5d99d5 massive doc updates
* examples/kubernetes: newly added
* docs/rootless.md: cleaned up for better readability
* examples/README.md: split out from the main README.md
* examples/build-using-dockerfile/README.md: split out from the main README.md
* README.md: add TOC using https://github.com/thlorenz/doctoc
* README.md: add mTLS configuration (relates to #1074)
* README.md: add more adoptions
* README.md: add inline cache (fix #976)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-16 18:55:27 +09:00
Akihiro Suda c54f4a986d support --oci-worker-no-process-sandbox
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-01-08 10:42:52 +09:00
Akihiro Suda b5003d53eb update docs
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-11-01 16:17:26 +09:00
Akihiro Suda 048130d1d0 simplify rootless
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-16 14:05:58 +09:00
Akihiro Suda eebb7428f5 rootless: update docs/rootless.md
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-04 19:27:54 +09:00
Akihiro Suda 18ac6e2d9a test.Dockerfile: new target: "rootless"
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-06-04 23:17:03 +09:00
Akihiro Suda c9c0603847 fix rootless docs
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-06-01 13:04:55 +09:00
Akihiro Suda adef0dedef oci-worker: experimental support for rootless mode
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-05-31 16:05:13 +09:00