File tree 1 file changed +7
-3
lines changed
1 file changed +7
-3
lines changed Original file line number Diff line number Diff line change @@ -25,12 +25,16 @@ RUN make static && mv img /usr/bin/img
2525# We don't use the Alpine shadow pkg bacause:
2626# 1. Alpine shadow makes SUID `su` executable without password: https://github.com/gliderlabs/docker-alpine/issues/430
2727# (but note that the SUID binary is not executable after unsharing the usernamespace. so this issue is not critical)
28- # 2. As of early October 2018, the upstream shadow newuidmap/newgidmap depends on CAP_SYS_ADMIN.
29- # So we need to apply https://github.com/shadow-maint/shadow/pull/132 .
28+ # 2. To allow running img in a container without CAP_SYS_ADMIN, we need to do either
29+ # a) install newuidmap/newgidmap with file capabilities rather than SETUID (requires kernel >= 4.14)
30+ # b) install newuidmap/newgidmap >= 20181028
31+ # We choose b) until kernel >= 4.14 gets widely adopted.
32+ # See https://github.com/shadow-maint/shadow/pull/132 https://github.com/shadow-maint/shadow/pull/138
3033FROM alpine:3.8 AS idmap
3134RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
32- RUN ( git clone -b no-cap-sys-admin https://github.com/giuseppe /shadow.git /shadow && cd /shadow )
35+ RUN git clone https://github.com/shadow-maint /shadow.git /shadow
3336WORKDIR /shadow
37+ RUN git checkout 42324e501768675993235e03f7e4569135802d18
3438RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
3539 && make \
3640 && cp src/newuidmap src/newgidmap /usr/bin
You can’t perform that action at this time.
0 commit comments