Build with abuild rootbld in Docker container: Difference between revisions
Arlecchino (talk | contribs) (Created page with "= Build packages with abuild rootbld in Docker container = In progress...") |
WhyNotHugo (talk | contribs) (→The most unsafe solution: only possible when docker runs as root) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Development]] | |||
= Container privileges = | |||
'''abuild-rootbld''' creates with [https://github.com/containers/bubblewrap bwrap] an unprivileged sandbox. | |||
To be allowed to use bwrap in the Alpine system running in the Docker container, the container needs additional privileges. | |||
== The most unsafe solution == | |||
Simply start the container with '''--privileged''' argument or use it in [https://docs.docker.com/compose/compose-file/#privileged compose file]. | |||
This is only possible when Docker (or Podman) is running as root. | |||
== Safe solution using a modified seccomp profile == | |||
Take the default '''seccomp profile''' from [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json github.com/moby/moby]. | |||
And add to the existing '''syscalls'''-JSON-Array this new object: | |||
<nowiki> | |||
{ | |||
"syscalls": [ | |||
{ | |||
"names": [ | |||
"clone", | |||
"mount", | |||
"pivot_root", | |||
"setdomainname", | |||
"sethostname", | |||
"umount2" | |||
], | |||
"action": "SCMP_ACT_ALLOW" | |||
} | |||
] | |||
} | |||
</nowiki> | |||
Safe the extended profile to a file like '''seccomp-bwrap.json'''. | |||
There is no predefined matching [https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities capability] providing the ''pivot_root'' syscall. | |||
The newly created file can be used in one of the following ways: | |||
* Run the container with argument <code>--security-opt seccomp=./seccomp-bwrap.json</code> See [https://docs.docker.com/engine/reference/commandline/run/#optional-security-options---security-opt reference] and [https://docs.docker.com/engine/security/seccomp/#pass-a-profile-for-a-container security seccomp]. | |||
* Specify in [https://docs.docker.com/compose/compose-file/#security_opt compose file] to use this profile: | |||
<nowiki> | |||
security_opt: | |||
- seccomp=./seccomp-bwrap.json</nowiki> | |||
= Run abuild = | |||
== Start container == | |||
{{Cmd|docker start <container-name>}} | |||
Connect to container with <code>ssh</code> or <code>docker exec</code>. | |||
== net option == | |||
By default the rootbld sandbox does not have network connection.<br> | |||
If the build process needs network connection to download additional files during the build commands you have to specify the '''net''' option in [https://wiki.alpinelinux.org/wiki/APKBUILD_Reference#options APKBUILD] file. | |||
== abuild rootbld == | |||
Run in your git repository path | |||
{{Cmd|abuild rootbld}} |
Latest revision as of 05:07, 17 October 2024
Container privileges
abuild-rootbld creates with bwrap an unprivileged sandbox. To be allowed to use bwrap in the Alpine system running in the Docker container, the container needs additional privileges.
The most unsafe solution
Simply start the container with --privileged argument or use it in compose file.
This is only possible when Docker (or Podman) is running as root.
Safe solution using a modified seccomp profile
Take the default seccomp profile from github.com/moby/moby.
And add to the existing syscalls-JSON-Array this new object:
{ "syscalls": [ { "names": [ "clone", "mount", "pivot_root", "setdomainname", "sethostname", "umount2" ], "action": "SCMP_ACT_ALLOW" } ] }
Safe the extended profile to a file like seccomp-bwrap.json.
There is no predefined matching capability providing the pivot_root syscall.
The newly created file can be used in one of the following ways:
- Run the container with argument
--security-opt seccomp=./seccomp-bwrap.json
See reference and security seccomp. - Specify in compose file to use this profile:
security_opt: - seccomp=./seccomp-bwrap.json
Run abuild
Start container
docker start <container-name>
Connect to container with ssh
or docker exec
.
net option
By default the rootbld sandbox does not have network connection.
If the build process needs network connection to download additional files during the build commands you have to specify the net option in APKBUILD file.
abuild rootbld
Run in your git repository path
abuild rootbld