rust-musl-builder icon indicating copy to clipboard operation
rust-musl-builder copied to clipboard

Published 20 hours ago verified publisher icon emk

Include setcap binary

Open recmo opened this issue 4 years ago • 6 comments

How could this project be improved?

To allow a non-root executable to bind privileged ports like 80 they need to have the cap_net_bind_service capability set, which is done in the build container using

RUN setcap cap_net_bind_service=+ep /my-app

But setcap is not available in the image, requiring the addition of a dependency install

RUN sudo apt-get update && \
    sudo apt-get install -yq libcap2-bin && \
    sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/*

It would be great if libcap2-bin and thus setcap are available in the emk/rust-musl-builder image.

If you're interested in implementing this feature yourself, how could I help you?

recmo avatar Jul 13 '21 11:07 recmo

Hi @Recmo Just of curiosity (I am not involved in this project), why would you need to change capabilities inside a container that is only used for compiling applications? Are you maybe running your Rust application inside this container?

TueHenriksen avatar Jul 29 '21 08:07 TueHenriksen

It's moved to a final FROM scratch container. Capabilities are preserved during this move since they are extended attributes. I need to do this in the build container because setcap is not available in FROM scratch (and installing it defeats the purpose).

IMHO, setting capabilities is part of the build process, just like setting the execute flag, stripping debug info and what else you'd want to do.

(Also, I am running the app in the build container, but just as a sanity check / test to make sure the compilation was successful. Some linker issues don't show up until you actually try to run it.)

recmo avatar Aug 19 '21 05:08 recmo

That makes sense - I guess you could change capabilities within a normal ubuntu container after you have built it and before moving it to your scratch container? But of cause, it adds an extra stage to your dockerfile...

TueHenriksen avatar Aug 19 '21 07:08 TueHenriksen

I had not thought of adding an extra stage, but that would work too. Just apt-get installing it like above is also fine. I'm only proposing including it as a convenience. Consider it part of expected build tools like ld, strip, objdump, etc.

recmo avatar Aug 19 '21 07:08 recmo

I am gradually moving away from OpenSSL and libpq across the projects I maintain, as described on #126. I am unlikely to ever find the time to add new features to this image (and maintain them). My apologies.

emk avatar Dec 16 '21 16:12 emk

However, I do have some good news! Now that I've moved the build system to GitHub, it's relatively easy for me to add new Ubuntu packages to the image and to test that the image still works. If anyone still wants to have this, please submit a PR.

emk avatar Dec 23 '21 20:12 emk