spindle/engines/nixery: extend container caps · lewis.moe/tangled-core@ef692dd

Monorepo for Tangled

spindle/engines/nixery: extend container caps

kaniko (and other docker build tools) require permission to change file ownership to successfully build containers.

i'm leaving this here for consideration, not sure about this security wise,, the better solution would be to use kvm, i think. in our case docker is running in sysbox without `privileged: true` so it _should_ be fine(??)

Signed-off-by: zenfyr.dev <mail@melontini.me>

authored by

zenfyr.dev and committed by

Anirudh Oppiliappan 4 months ago ef692dd7 0a2ae70c

+1 -1

1 changed file

expand all

unified split

spindle

engines

nixery

engine.go

+1 -1

spindle/engines/nixery/engine.go

··· 222 222 }, 223 223 ReadonlyRootfs: false, 224 224 CapDrop: []string{"ALL"}, 225 - CapAdd: []string{"CAP_DAC_OVERRIDE"}, 225 + CapAdd: []string{"CAP_DAC_OVERRIDE", "CAP_CHOWN", "CAP_FOWNER", "CAP_SETUID", "CAP_SETGID"}, 226 226 SecurityOpt: []string{"no-new-privileges"}, 227 227 ExtraHosts: []string{"host.docker.internal:host-gateway"}, 228 228 }, nil, nil, "")