| commit | 52804a1970bf8633c216fea4e165df4e88a16acc | [log] [tgz] |
|---|---|---|
| author | Leopold Schabel <leo@nexantic.com> | Thu Oct 24 02:17:13 2019 +0200 |
| committer | Leopold Schabel <leo@nexantic.com> | Thu Oct 24 02:17:13 2019 +0200 |
| tree | e6be5233989911dd21f2d74a170199a396793054 | |
| parent | b51250a42b51b8dc6509c7dc57522d42bced2c00 [diff] |
Run as unprivileged user in container in a new user namespace
This prevents the build from accidentally modifying system files in
the container, and increases security.
Test Plan:
scripts/destroy_container.sh; scripts/create_container.sh && scripts/run_in_container.sh id
# uid=1000(1000) gid=1000 groups=1000
bazel run scripts:launch
# works
X-Origin-Diff: phab/D212
GitOrigin-RevId: 74af18ee49cf48e45440e12e9efe36e57be5f18d
The build uses a Fedora 30 base image with a set of dependencies. Guide has been tested on a Fedora 30 host, with latest rW deployed.
Build the base image:
podman build -t smalltown-builder .
Launch the VM:
scripts/bin/bazel run scripts:launch
Exit qemu using the monitor console: Ctrl-A c quit.