Files
buildkit/docs
Akihiro Suda 3a91b50be1 rootless: update docs and examples
Fix issue 5763

- Discourage `--oci-worker-no-process-sandbox`, due to the leakage of
  the processes (by design).
  Instead, encourage setting `systempaths=unconfined` in `docker run`.
  This corresponds to `securityContext.procMount: Unmasked` in Kubernetes,
  however, the configuration is hard on Kubernetes, as it has to be used
  in conjunction with `hostUsers: false`.

- Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically.

- Use the new Kubernetes struct for AppArmor

- Add a hint about `kernel.apparmor_restrict_unprivileged_userns`

- Remove `$` from command snippets for ease of copypasting

- Make `job.*.yaml` more practical

- Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-02-21 16:57:53 +09:00
..
2024-01-16 16:26:59 -08:00
2023-03-10 09:46:52 +01:00
2023-03-10 09:46:52 +01:00
2023-07-28 17:02:53 +03:00
2022-11-06 10:37:06 +01:00
2025-02-21 16:57:53 +09:00
2023-10-31 08:09:36 +01:00