Fix issue 5763
- Discourage `--oci-worker-no-process-sandbox`, due to the leakage of
the processes (by design).
Instead, encourage setting `systempaths=unconfined` in `docker run`.
This corresponds to `securityContext.procMount: Unmasked` in Kubernetes,
however, the configuration is hard on Kubernetes, as it has to be used
in conjunction with `hostUsers: false`.
- Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically.
- Use the new Kubernetes struct for AppArmor
- Add a hint about `kernel.apparmor_restrict_unprivileged_userns`
- Remove `$` from command snippets for ease of copypasting
- Make `job.*.yaml` more practical
- Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Move "Distribution-specific hint" and "Troubleshooting" to the bottom of
the document to improve readability.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The error is known to happen when buildkitd is executed inside a
container without `--oci-worker-no-process-sandbox`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
but the default VOLUME does not work with rootless on Google's Container-Optimized OS
as it is mounted with `nosuid,nodev`.
So the volume has to be explicitly mounted as an `emptyDir` volume.
Tested with GKE Autopilot 1.24.3-gke.200 (kernel 5.10.123+, containerd 1.6.6).
Fix issue 879
Thanks to Andrew Grigorev (ei-grad) and Ben Cressey (bcressey).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Isolating network namespace with `rootlesskit --net=slirp4netns` is
recommended for protecting localhost sockets and abstract sockets on the host.
This is not meaningful for running rootless buildkitd inside a
container, so slirp4netns is not added in Dockerfile.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
While real overlayfs is available only in Ubuntu and Debian kernels,
fuse-overlayfs is universally available for kernel >= 4.18.
For dockerized deployment, `--device /dev/fuse` needs to be added to
`docker run` flags.
Kubernetes deployment needs a custom device plugin that enables
`/dev/fuse`, e.g. https://github.com/honkiko/k8s-hostdev-plugin
Instead of a device plugin, the device can be also enabled by setting
`securityContext.privileged` to `true`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
BuildKit with crun works fine on cgroup2 system.
Tested both Rootful and Rootless on Fedora 31, with crun v0.10.2.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* examples/kubernetes: newly added
* docs/rootless.md: cleaned up for better readability
* examples/README.md: split out from the main README.md
* examples/build-using-dockerfile/README.md: split out from the main README.md
* README.md: add TOC using https://github.com/thlorenz/doctoc
* README.md: add mTLS configuration (relates to #1074)
* README.md: add more adoptions
* README.md: add inline cache (fix#976)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
