Closed maxrake closed 10 months ago
Docker heavily restricts the unshare
syscall which is required for Birdcage to function.
If you have control over the execution of the container, you can try modifying the docker run
command to make it work. It might just need --cap-add=CAP_SYS_ADMIN
, but the docs are a bit unclear on user namespaces and I have not tested that... Alternately, you could use a custom seccomp filter with --security-opt="seccomp=profile.json"
or even disable the seccomp filter entirely with --security-opt="seccomp=unconfined"
Ultimately, this is the reason that we included a --skip-sanbox
option in 732b0d3. When docker is in use, further sandboxing is impractical and potentially unnecessary.
Knowing when to skip using the sandbox (at runtime) can be done in several ways:
/.dockerenv
fileDiscussion with the team on 28 NOV 2023 resulted in the decision to go with the second option. In particular, the command to use was determined to be:
phylum sandbox --allow-run / true
If that command fails, then it must be due to the environment not playing well with the Birdcage sandbox. Only then should the use of the sandbox be skipped.
Overview
Lockfile generation with the v5.9.0-rc1 release fails when run from a Debian based
linux/amd64
Docker container.How To Reproduce
Expected Behavior
Lockfiles are able to be generated by Phylum when operating within a Debian based
linux/amd64
Docker container (which is whatphylumio/phylum-ci
on Docker Hub is).Additional Context
This appears to affect the CLI v5.9.0-rc1 release only at this time. The previous v5.8.1 release does not have this issue. The difference between those two releases is generating lockfiles within a sandbox. It is not clear from the error what went wrong, but the suspicion is a missing sandbox permission for the
linux/amd64
Docker environment.The
maxrake/phylum-ci:gh_pr_target
tag on Docker Hub exists to test this behavior.