mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-04 11:51:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

sdk_lib: Don't disable the Portage sandboxes most of the time

Browse Source 
We have long run with the ipc, network, and pid sandboxes disabled in
the belief that these did not work in a container even if it was
privileged. I suspect it really did work back then, but it certainly
does work now regardless.

update_sdk_container_image uses Portage in an unprivileged docker build
environment, so it is still necessary to disable these here. However,
this can be done more easily through the environment, and the regular
sandbox should work fine.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This commit is contained in:
James Le Cuirot 2026-04-15 17:18:20 +01:00
parent d121b9594e
commit d42574d094
No known key found for this signature in database
GPG Key ID: 1226415D00DD3137
2 changed files with 2 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sdk_lib/Dockerfile.sdk-import
View File

@ -17,11 +17,6 @@ RUN if ! grep -q portage /etc/passwd; then \
echo "portage:x:250:250:portage:/var/tmp/portage:/bin/false" >>/etc/passwd; \
fi
# fix "Unable to unshare: EPERM ..." in containers
# (see https://github.com/gentoo/gentoo-docker-images/issues/81)
RUN echo 'export FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox"' \
>> /etc/skel/.bashrc
RUN groupadd sdk
RUN useradd -g sdk -G portage sdk
RUN echo "sdk ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sdk-user

13
sdk_lib/Dockerfile.sdk-update
View File

@ -4,22 +4,13 @@ FROM ${BASE}
COPY --chown=sdk:sdk sdk_container/ /mnt/host/source
COPY --chown=sdk:sdk . /mnt/host/source/src/scripts
# Disable all sandboxing for SDK updates since some core packages
# (like GO) fail to build from a permission error otherwise.
RUN cp /home/sdk/.bashrc /home/sdk/.bashrc.bak
RUN echo 'export FEATURES="-sandbox -usersandbox -ipc-sandbox -network-sandbox -pid-sandbox"' \
>> /home/sdk/.bashrc
RUN chown sdk:sdk /mnt/host/source
RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
/home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
RUN /home/sdk/sdk_entry.sh ./setup_board --board="arm64-usr" --regen_configs
RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs
# Restore original .bashrc to remove sandbox disablement
RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc
RUN chown sdk:sdk /home/sdk/.bashrc
# Clean up ephemeral key directory variables that were added during build
RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \
-e '/export MODULES_SIGN_KEY=/d' \