-
-
Notifications
You must be signed in to change notification settings - Fork 839
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
first attempt to build an official Docker image #1896 #3381
Conversation
Details can be found in docker/README.md
Trying to run this with the proposed command from the docs causes the following error for me:
Only when I add |
Hmm good question. SYS_ADMIN is enough on my system. Might be a question of docker and kernel version?
|
Possible. I'm not really a docker expert, unfortunately. I'm running the 5.10 kernel. Not sure if that's enough to explain the different results.
|
As suggested by @glensc
8ec88a5
to
12c524a
Compare
@splitbrain If you're interested you can take some inspiration with my image: https://github.com/crazy-max/docker-dokuwiki |
This is an interesting approach for sure, but I fear that the need for the container to have I'm glad to see thought and effort being put toward this regardless. |
What about just dropping that capability after mounting? Then the security impact should be minimal. |
I guess the same could be achieved using a FUSE based overlay FS like https://github.com/containers/fuse-overlayfs When I have time I'll do some tests. |
Hmm seems like fuse needs a privileged container as well. I didn't expect that, what a bummer. @michitux how would I drop the privileges after mounting? |
A quick search gave me this page: so, in entrypoing script, instead of invoking bash or httpd (whatever) you execute via capsh: exec capsh --drop=cap_net_raw --print -- -c "/bin/ping -c 1 localhost" |
|
||
ARG BRANCH=stable | ||
|
||
COPY --chmod=755 ./entrypoint.sh /usr/local/sbin/entrypoint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's best to rename not to be so generic name, so in case you want/need to wrap and execute another one, like you do with the php entrypoint:
exec docker-php-entrypoint apache2-foreground
if the parent image also had it named as entrypoint
you would need to make workarounds.
Hence, I propose to use a file named dokuwiki-entrypoint
when installing (doesn't matter how you name it in your git repository).
VOLUME /overlay/storage | ||
|
||
# setup DokuWiki | ||
RUN mkdir -p /overlay/original && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RUN mkdir -p /overlay/original && \ | |
RUN set -x && \ | |
mkdir -p /overlay/original && \ |
I like the shell to show what commands are executed, eases debug and has no downside for the final image.
I have the same issue running docker 20.10.3 on Debian Buster. Adding privileged works for docker run, but privileged can't be used in swarm mode. |
I am closing this PR. I agree that the requirement of elevated privileges makes this approach impractical for real life use. |
Details can be found in docker/README.md
Please pay special attention to the todos listed in the readme. I need some help with this. Pull requests against this branch welcome.