Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support better isulation when building images as part of kube play #20024

Closed
ifireball opened this issue Sep 19, 2023 · 5 comments · Fixed by #20455
Closed

Support better isulation when building images as part of kube play #20024

ifireball opened this issue Sep 19, 2023 · 5 comments · Fixed by #20455
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@ifireball
Copy link

Feature request description

podman kube play has a useful option to build an image when the image specified in the K8s YAML maps to a directory with a Dockerfile or a Container file in it.

Currently when images are built this way, the isolation use is hard-coded to "cheroot" as evident by this code.

This can cause more complex container builds to fail due to e.g. collisions with resources running on the host.

Suggest potential solution

I would like to have at least one of the following:

  • If nothing else, document the current behaviour - it took us quite a while to figure out why images that build properly with podman build fail to build with podman kube play
  • A command-line option to set the desired isolation level
  • Support for the BUILDAH_ISOLATION environment variable
  • A way the specify the isolation via the k8s YAML file (E.g. via a POD annotation)
  • Default to higher isolation level (OCI or rootless)

Have you considered any alternatives?

We are currently telling people to build the images on their own via podman build before spinning up their environment via podman kube play. We may also end up providing our own wrapper script, but this is cumbersome. We'd really like to have a single command to spin up a work environment.

Additional context

Add any other context or screenshots about the feature request here.

@ifireball ifireball added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 19, 2023
@rhatdan
Copy link
Member

rhatdan commented Sep 19, 2023

Interested in doing any of this yourself?

@flouthoc WDYT?

@flouthoc
Copy link
Collaborator

Yes I think podman play kube must honor BUILDAH_ISOLATION or must have a higher level CLI flag.

@flouthoc
Copy link
Collaborator

I'll check this.

@flouthoc flouthoc self-assigned this Sep 20, 2023
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Oct 23, 2023

@flouthoc any update?

rhatdan added a commit to rhatdan/podman that referenced this issue Oct 24, 2023
Users can specify BUILDAH_ISOLATION environment variable to change the
default.

Fixes: containers#20024

Currently podman play kube is defaulting to chroot, which is the least
safe version of build, we should always default to secure whenever
possible. Chroot should only be used when building within a container.

No great way to tests this.
[NO NEW TESTS NEEDED]

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jan 23, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants