Build with abuild rootbld in Docker container

From Alpine Linux
Revision as of 05:07, 17 October 2024 by WhyNotHugo (talk | contribs) (→‎The most unsafe solution: only possible when docker runs as root)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Container privileges

abuild-rootbld creates with bwrap an unprivileged sandbox. To be allowed to use bwrap in the Alpine system running in the Docker container, the container needs additional privileges.

The most unsafe solution

Simply start the container with --privileged argument or use it in compose file.

This is only possible when Docker (or Podman) is running as root.

Safe solution using a modified seccomp profile

Take the default seccomp profile from github.com/moby/moby.

And add to the existing syscalls-JSON-Array this new object:

{
	"syscalls": [
		{
			"names": [
				"clone",
				"mount",
				"pivot_root",
				"setdomainname",
				"sethostname",
				"umount2"
			],
			"action": "SCMP_ACT_ALLOW"
		}
	]
}

Safe the extended profile to a file like seccomp-bwrap.json.

There is no predefined matching capability providing the pivot_root syscall.

The newly created file can be used in one of the following ways:

    security_opt:
      - seccomp=./seccomp-bwrap.json


Run abuild

Start container

docker start <container-name>

Connect to container with ssh or docker exec.

net option

By default the rootbld sandbox does not have network connection.
If the build process needs network connection to download additional files during the build commands you have to specify the net option in APKBUILD file.

abuild rootbld

Run in your git repository path

abuild rootbld