You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Without the --privileged flag, docker will run with reduced privileges. My workflow needs more privileges (in particular I need the capset operation). This PR adds that flag, as I see no security issue with this. Note that with this change, you should be able to remove the --disable-sandboxing flag here:
Without the --privileged flag, docker will run with reduced privileges. My workflow needs more privileges (in particular I need the capset operation).
OK. BTW could you give a bit more details on your use case / on the exact CAPs you need? (cf. man 7 capabilities)
This PR adds that flag, as I see no security issue with this.
the --privileged flag basically drops the container isolation by adding all capabilities, so maybe a less invasive change would be to just rely on some --cap-add flag?
Note that with this change, you should be able to remove the --disable-sandboxing flag here:
Yes and no. You're right that it is related! however beyond CI, the docker-coq images are also intended to be run locally (without any --privileged-like flag), so I'm unsure we can benefit there from the change suggested in your PR #50.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Without the
--privilegedflag, docker will run with reduced privileges. My workflow needs more privileges (in particular I need the capset operation). This PR adds that flag, as I see no security issue with this. Note that with this change, you should be able to remove the--disable-sandboxingflag here:https://github.com/coq-community/docker-base/blob/b47cc67d1f78217ba4a0ade773ab61d19e5c817d/base/single/Dockerfile#L81