commit ef692dd72a2449c01c3d9e913027b396455fcf1a · besaid.zone/core

besaid.zone / core

Monorepo for Tangled

spindle/engines/nixery: extend container caps

kaniko (and other docker build tools) require permission to change file ownership to successfully build containers.

i'm leaving this here for consideration, not sure about this security wise,, the better solution would be to use kvm, i think. in our case docker is running in sysbox without `privileged: true` so it _should_ be fine(??)

Signed-off-by: zenfyr.dev <mail@melontini.me>

authored by zenfyr.dev and committed by anirudh.fi 2 months ago ef692dd7 0a2ae70c

options

unified split

Changed files

+1 -1

spindle

engines

nixery

engine.go

+1 -1

spindle/engines/nixery/engine.go

··· 222 222 }, 223 223 ReadonlyRootfs: false, 224 224 CapDrop: []string{"ALL"}, 225 - CapAdd: []string{"CAP_DAC_OVERRIDE"}, 225 + CapAdd: []string{"CAP_DAC_OVERRIDE", "CAP_CHOWN", "CAP_FOWNER", "CAP_SETUID", "CAP_SETGID"}, 226 226 SecurityOpt: []string{"no-new-privileges"}, 227 227 ExtraHosts: []string{"host.docker.internal:host-gateway"}, 228 228 }, nil, nil, "")