Comments (3)
edannenberg
commented on May 24, 2024
1
Removed BUILD_PRIVILEGED in favor of BUILDER_CAPS_SYS_PTRACE. Let me know if you run into any issues.
from kubler.
berney
commented on May 24, 2024
It might be nice to add more fine-grained privileges. On a Ubuntu 16.04 host building net-analyzers/nmap fails due to the sandbox trying to use PTRACE. Several work-arounds I've found are to: -
- disable the sandbox (e.g.
FEATURES=-usersandbox emerge net-analyzers/nmap) in build.sh - set
BUILD_PRIVILEGED=truein build.conf - add
--cap-add=SYS_PTRACEto the docker run command in functionrun_image
It might be possible to reduce the privileges a lot of BUILD_PRIVILEGED=true builders and images have to a --cap-add=SYS_SOMETHING.
from kubler.
edannenberg
commented on May 24, 2024
I was thinking about just setting --cap-add=SYS_PTRACE back then, but as it is just for some select build containers the current solution looked simpler (from a user's perspective) as it also takes care of any other missing cap problems.
Looking back so far though it always was missing SYS_PTRACE cap that required BUILD_PRIVILEGED=true, so thanks for bringing this up again. Should be a fairly simple change.
from kubler.
Related Issues (20)
- Build always fails: PermissionError: [Errno 13] Permission denied and alike HOT 15
- Missing new line in Dockerfile.template renders LABEL to last line HOT 1
- Kubler expects a TTY, `kubler build` broken in CI/CD HOT 2
- kubler build interactive behaviour difference: continues on errors in configure_bob() HOT 1
- Kubler bob-musl builder fails to emerge openssh due to util-linux's su use-flag requiring pam HOT 4
- Kubler Build breaks with docker buildx HOT 5
- Kubler download_portage_snapshot() dl_name $_TODAY timezone difference can have different name to origin
- Patches in acct-user.eclass failing due to recent changes HOT 5
- User eclass patches broken again HOT 2
- flaggie will be removed from the portage tree on 2023-01-24. HOT 5
- Here we go again: user eclasses have been updated again and causing trouble for Kubler HOT 2
- Apptainer/Singularity support? HOT 2
- flaggie-0.99.3 does not support --strict and --destructive-cleanup
- Use Dockerfile ARGs HOT 4
- bob-core Dockerfile template clobbered RUN command
- error when calling app-portage/flaggie HOT 7
- permission thing HOT 16
- Support proxied / restrictive environments HOT 2
- [BUG]: `POST_BUILD_HC=false` is not honoured HOT 2
- user eclasses updated again
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubler.