AkihiroSuda
commented
6 years ago Is this closable now?
Open alexellis opened 6 years ago
AkihiroSuda
commented
6 years ago Is this closable now?
alexellis
commented
6 years ago I should have been clearer. By non-root I also mean unprivileged. The reason for this is to help prevent breakouts or untrusted builds causing damage.
Thanks for helping us to get to a non-root build, we need to further isolate it now with the work you mentioned Jessie is working on.
alexellis
commented
6 years ago @AkihiroSuda ping. @jessfraz if you have time to look at this issue, do you have any thoughts on how close an unprivileged build could be with buildkit/img?
There is some work to patch runc to do non-root builds via buildkit
This currently looks too manual and bespoke to be useful - i.e. patching kernel modules/runc and other components, but would be an ideal fit for OpenFaaS Cloud builds when ready.