ver4a/oci-builder
1
0
Fork 0
Code Activity Actions

Compare commits

base: ver4a:8181b5476719692b9cdb5ad547b67fac7ca3b1d7
Branches Tags
ver4a:main
...
compare: ver4a:37483da0f5aa8405588c55b1aa2dbefbcfbc37cd
Branches Tags
ver4a:main

2 commits
8181b54767 ... 37483da0f5

Author SHA1 Message Date
ver4a
37483da0f5 Refactor file capabilities
All checks were successful
/ Test oci-builder (push) Successful in 55s
Details
/ Release oci-builder (push) Successful in 2s
Details
/ Build oci-builder (push) Successful in 1m5s
Details 
Adding capabilities after removing capabilities is more robust and makes
logically more sense, the reverse order was confusing.

This also allows dropping the exception from removal.
 2025-04-17 01:45:42 +02:00
ver4a
31ac3096dc Refactor environment variables 2025-04-17 01:45:23 +02:00
1 changed files with 9 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

20
Dockerfile
View file

@ -1,23 +1,21 @@
FROM quay.io/fedora/fedora-minimal:42
ARG RUNNER_VERSION=6.3.1
ARG GITHUB_RUN_ID
ENV BUILDAH_ISOLATION=chroot
ENV HOME=/builder
ENV REGISTRY_AUTH_FILE=/builder/.config/containers/auth.json
RUN echo ${GITHUB_RUN_ID} > /.github_run_id
RUN dnf5 -y --setopt install_weak_deps=false install podman buildah skopeo vim setpriv git nodejs22 diffutils
ENV BUILDAH_ISOLATION=chroot
RUN curl -sfL https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64 -o /usr/local/bin/forgejo-runner
RUN chmod +x /usr/local/bin/forgejo-runner
RUN echo "nobody:65536:65536" > /etc/subuid && echo "nobody:65536:65536" > /etc/subgid
ENV HOME=/builder
ENV REGISTRY_AUTH_FILE=/builder/.config/containers/auth.json
# This is a workaround for https://github.com/containers/podman/issues/23818, apart from that it serves absolutely no purpose. I also don't know why it looks there, given HOME is elsewhere, but it doesn't seem to cause any issues.
RUN mkdir /.config && chown 65534:65534 /.config
@ -26,13 +24,11 @@ RUN mkdir /builder /builder/.config && chown -R 65534:65534 /builder
# This works around https://github.com/redhat-actions/podman-login/pull/43, until this PR is merged at least
RUN mkdir /builder/.docker && chown -R 65534:65534 /builder/.docker
WORKDIR /builder
RUN setcap cap_setuid=ep /usr/bin/newuidmap cap_setgid=ep /usr/bin/newgidmap
RUN find / -mindepth 1 -path /proc -prune -or -path /sys -prune -or -path /dev -prune -or -type f -perm /6000 -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
RUN getcap -r / | awk '{ print $1 }' | grep -vE '/usr/bin/new[ug]idmap' | xargs -I '{}' sh -c "setcap -r '{}' && echo \"Removed file capability bit(s) from '{}'\""
RUN getcap -r / | awk '{ print $1 }' | xargs -I '{}' sh -c "setcap -r '{}' && echo \"Removed file capability bit(s) from '{}'\""
RUN setcap cap_setuid=ep /usr/bin/newuidmap cap_setgid=ep /usr/bin/newgidmap
RUN shopt -s dotglob && rm -rf /var/cache/* /tmp/* /var/tmp/*
@ -42,4 +38,6 @@ RUN chmod +x /entrypoint.sh
USER 65534:65534
WORKDIR /builder
CMD ["/entrypoint.sh"]