Comments (2)
Docker heavily restricts the unshare
syscall which is required for Birdcage to function.
If you have control over the execution of the container, you can try modifying the docker run
command to make it work. It might just need --cap-add=CAP_SYS_ADMIN
, but the docs are a bit unclear on user namespaces and I have not tested that... Alternately, you could use a custom seccomp filter with --security-opt="seccomp=profile.json"
or even disable the seccomp filter entirely with --security-opt="seccomp=unconfined"
Ultimately, this is the reason that we included a --skip-sanbox
option in 732b0d3. When docker is in use, further sandboxing is impractical and potentially unnecessary.
from cli.
Knowing when to skip using the sandbox (at runtime) can be done in several ways:
- Check for when Docker is in use
- PRO: easy, by checking for the existence of a
/.dockerenv
file - CON: disabling use of the sandbox is possible by creating that file
- CON: Docker may not be the only environment where the sandbox does not work
- PRO: easy, by checking for the existence of a
- Attempt to use the sandbox for something that should always succeed
- PRO: can be used for any environment and will survive implementation changes to both Phylum and Docker
- CON: it may still be possible to manipulate the environment to cause a failure and thus control the use of the sandbox
Discussion with the team on 28 NOV 2023 resulted in the decision to go with the second option. In particular, the command to use was determined to be:
phylum sandbox --allow-run / true
If that command fails, then it must be due to the environment not playing well with the Birdcage sandbox. Only then should the use of the sandbox be skipped.
from cli.
Related Issues (20)
- `phylum package` command output errors HOT 1
- SPDX panics while parsing
- cli v6.1.1 (nearly) silent on runtime failure HOT 2
- CLI should kill parsing subprocess on shutdown HOT 1
- SPDX package list may contain current project as a package
- Failure to parse SPDX text files with optional package fields
- Use `SPDX` download location to determine ecosystem
- Issue parsing `effective-pom.xml` files with `ch1252` encoding
- `Go` lockfile generation fails with sandbox HOT 2
- Support pnpm lockfile v9 HOT 1
- Improve `Go` dependency parsing HOT 4
- PyPI parser does not handle local version identifiers HOT 2
- Double lockfiles for Go projects HOT 5
- Hidden error messages for dotnet lockfile generator
- Allow `dotnet` install path for lockfile generation sandbox
- Unexpected birdcage error HOT 1
- Odd format detection for csproj files HOT 2
- Support pnpm lockfile version 5
- Command to set default label HOT 1
- Support legacy Gradle lockfiles
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.