In Dockerfile_build, don't try to build with one libc and run with another.
In Dockerfile_build, don't disable cgo - it's a hard requirement for setting up user namespaces. The default seccomp filter for dockerd doesn't allow us to use the unshare() syscall, which is part of setting up namespaces, so if we're running under dockerd, we still need to be started with either
to use the seccomp filter that podman uses, which will allow the container to use the unshare() syscall.
In Dockerfile_build, supply additional configuration files used by underlying libraries.
Force the type of isolation used for RUN instructions to "chroot", since we'll be running in a container and it doesn't have other runtimes installed in it.
Always make sure to initialize the reexec functionality first. The init() function might still error out if specific environment variables aren't to our liking, but the parent process, which isn't started by reexec, should error out if that's the case, long before it starts any child processes that the error messages might interfere with.
Reexec into a new user namespace at startup if we don't have CAP_SYS_ADMIN in the one that we're started in, even if we're UID 0.
Use github.com/containers/image/v5/storage.Transport.NewStoreReference() to convert the built image's ID into a reference suitable for copying from, rather than attempting to generate an intermediate string representation and parse it again.
Have CopyImage() just use the source reference that its caller already built.
In
Dockerfile_build
, don't try to build with one libc and run with another.In
Dockerfile_build
, don't disable cgo - it's a hard requirement for setting up user namespaces. The default seccomp filter for dockerd doesn't allow us to use theunshare()
syscall, which is part of setting up namespaces, so if we're running underdockerd
, we still need to be started with eitherto not use a seccomp filter, or
to use the seccomp filter that podman uses, which will allow the container to use the
unshare()
syscall.In
Dockerfile_build
, supply additional configuration files used by underlying libraries.Force the type of isolation used for RUN instructions to "chroot", since we'll be running in a container and it doesn't have other runtimes installed in it.
Always make sure to initialize the reexec functionality first. The init() function might still error out if specific environment variables aren't to our liking, but the parent process, which isn't started by reexec, should error out if that's the case, long before it starts any child processes that the error messages might interfere with.
Reexec into a new user namespace at startup if we don't have CAP_SYS_ADMIN in the one that we're started in, even if we're UID 0.
Use
github.com/containers/image/v5/storage.Transport.NewStoreReference()
to convert the built image's ID into a reference suitable for copying from, rather than attempting to generate an intermediate string representation and parse it again.Have CopyImage() just use the source reference that its caller already built.