do we need to run buildah containers always with BUILDAH_ISOLATION = chroot #5818
Comments
|
In many cases, a container that's run using the image will not be given enough privileges for |
|
Thanks @nalind for your reply. |
|
Yes, the container image has the environment variable set in it to override the compiled-in default. |
|
I have a similar need to run buildah in Kubernetes with better isolation.
What privileges are those? How can I check if the environment provides them? |
Hi,
I have a buildah container image (quay.io/buildah/stable:latest) running with default setting as a "BUILDAH_ISOLATION = chroot" in Kubernetes. However, I am wondering is this really required to run the buildah as a container ?
Can someone pleas explain this ,
https://github.com/containers/buildah/blob/main/docs/buildah-build.1.md
_"--isolation type
Controls what type of isolation is used for running processes as part of RUN instructions. Recognized types include oci (OCI-compatible runtime, the default), rootless (OCI-compatible runtime invoked using a modified configuration, with --no-new-keyring added to its create invocation, reusing the host's network and UTS namespaces, and creating private IPC, PID, mount, and user namespaces; the default for unprivileged users), and chroot (an internal wrapper that leans more toward chroot(1) than container technology, reusing the host's control group, network, IPC, and PID namespaces, and creating private mount and UTS namespaces, and creating user namespaces only when they're required for ID mapping).
Note: You can also override the default isolation type by setting the BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci"_
The text was updated successfully, but these errors were encountered: