openfaas-cloud icon indicating copy to clipboard operation
openfaas-cloud copied to clipboard

Published 20 hours ago verified publisher icon openfaas

Investigate non-root buildkit implementations

Open alexellis opened this issue 7 years ago • 3 comments

There is some work to patch runc to do non-root builds via buildkit

This currently looks too manual and bespoke to be useful - i.e. patching kernel modules/runc and other components, but would be an ideal fit for OpenFaaS Cloud builds when ready.

alexellis avatar Apr 01 '18 08:04 alexellis

Is this closable now?

AkihiroSuda avatar Jun 10 '18 17:06 AkihiroSuda

I should have been clearer. By non-root I also mean unprivileged. The reason for this is to help prevent breakouts or untrusted builds causing damage.

Thanks for helping us to get to a non-root build, we need to further isolate it now with the work you mentioned Jessie is working on.

alexellis avatar Jun 10 '18 18:06 alexellis

@AkihiroSuda ping. @jessfraz if you have time to look at this issue, do you have any thoughts on how close an unprivileged build could be with buildkit/img?

alexellis avatar Jul 18 '18 20:07 alexellis