forked from
tangled.org/core
Monorepo for Tangled
spindle/engines/nixery: extend container caps
kaniko (and other docker build tools) require permission to change file ownership to successfully build containers.
i'm leaving this here for consideration, not sure about this security wise,, the better solution would be to use kvm, i think. in our case docker is running in sysbox without `privileged: true` so it _should_ be fine(??)
Signed-off-by: zenfyr.dev <mail@melontini.me>
author
zenfyr.dev
committer
Anirudh Oppiliappan
date
(Oct 26, 2025, 1:28 PM +0200)
commit
ef692dd7
ef692dd72a2449c01c3d9e913027b396455fcf1a
parent
0a2ae70c
0a2ae70c248e8b880b6c109e3af8eddc0d69212b
change-id
tswxxrrr
tswxxrrrtmvultkpmrzurwyzzzuzutus
+1
-1
+1
-1
spindle/engines/nixery/engine.go
+1
-1
spindle/engines/nixery/engine.go
···
222
222
},
223
223
ReadonlyRootfs: false,
224
224
CapDrop: []string{"ALL"},
225
-
CapAdd: []string{"CAP_DAC_OVERRIDE"},
225
+
CapAdd: []string{"CAP_DAC_OVERRIDE", "CAP_CHOWN", "CAP_FOWNER", "CAP_SETUID", "CAP_SETGID"},
226
226
SecurityOpt: []string{"no-new-privileges"},
227
227
ExtraHosts: []string{"host.docker.internal:host-gateway"},
228
228
}, nil, nil, "")