| commit | 7afd390eadf37eac58d4db8ad3751783c40bdf37 | [log] [tgz] |
|---|---|---|
| author | Leopold Schabel <leo@nexantic.com> | Wed Oct 23 12:16:57 2019 +0200 |
| committer | Leopold Schabel <leo@nexantic.com> | Wed Oct 23 12:16:57 2019 +0200 |
| tree | 73b7533e0ba991eb8f2d98ed58e4350ca4c8e394 | |
| parent | 2983d7285fe019f943f1b722f26a0f2e959c5f80 [diff] |
Use --privileged in Fedora container
This enables the namespace-based sandbox in Bazel.
Using `--privileged` isn't as dangerous as it looks, when used with podman in rootless mode (i.e. ran as unprivileged user), in which case it uses user namespaces.
We drop `--net=host`, which is not actually necessary.
Test Plan:
scripts/destroy_container.sh
scripts/create_container.sh
scripts/run_in_container.sh bazelisk build :swtpm_data
This now fails properly when ran with the container:
swtpm-localca: touch: cannot touch '/var/lib/swtpm-localca/.lock.swtpm-localca': Read-only file system
swtpm-localca: Error: Could not create lock file /var/lib/swtpm-localca/.lock.swtpm-localca.
X-Origin-Diff: phab/D202
GitOrigin-RevId: f51a831e7584cccf21860e9f18b73272a658f055
The build uses a Fedora 30 base image with a set of dependencies. Guide has been tested on a Fedora 30 host, with latest rW deployed.
Build the base image:
podman build -t smalltown-builder .
Launch the VM:
scripts/bin/bazel run scripts:launch
Exit qemu using the monitor console: Ctrl-A c quit.