Isolating network namespace with `rootlesskit --net=slirp4netns` is
recommended for protecting localhost sockets and abstract sockets on the host.
This is not meaningful for running rootless buildkitd inside a
container, so slirp4netns is not added in Dockerfile.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
While real overlayfs is available only in Ubuntu and Debian kernels,
fuse-overlayfs is universally available for kernel >= 4.18.
For dockerized deployment, `--device /dev/fuse` needs to be added to
`docker run` flags.
Kubernetes deployment needs a custom device plugin that enables
`/dev/fuse`, e.g. https://github.com/honkiko/k8s-hostdev-plugin
Instead of a device plugin, the device can be also enabled by setting
`securityContext.privileged` to `true`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
BuildKit with crun works fine on cgroup2 system.
Tested both Rootful and Rootless on Fedora 31, with crun v0.10.2.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* examples/kubernetes: newly added
* docs/rootless.md: cleaned up for better readability
* examples/README.md: split out from the main README.md
* examples/build-using-dockerfile/README.md: split out from the main README.md
* README.md: add TOC using https://github.com/thlorenz/doctoc
* README.md: add mTLS configuration (relates to #1074)
* README.md: add more adoptions
* README.md: add inline cache (fix#976)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Kohei Tokunaga
Akihiro Suda
Akihiro Suda