Skip to content

Commit

Permalink
base: disable apt sandbox.
Browse files Browse the repository at this point in the history 
APT uses a _apt user by default for handling its files in the
filesystem. When ignore_chown_errors is set to True, which collapses the
filesystem's UIDs to a single UID (root's one), any apt command will
fail, since setgroups, setegid and seteuid syscalls will not succeed.

Disable apt sandbox as it is not strictly required inside containers.
  • Loading branch information
@henriquesimoes
henriquesimoes committed Aug 20, 2024
1 parent a782305 commit cfaa61d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 0 deletions.
3 changes: 3 additions & 0 deletions base/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ ARG JOBS

ENV DEBIAN_FRONTEND noninteractive

COPY lnls-single-uid.sh /usr/local/bin/lnls-single-uid
RUN lnls-single-uid

RUN apt update -y && \
apt install -y --no-install-recommends \
build-essential \
Expand Down
6 changes: 6 additions & 0 deletions base/lnls-single-uid.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/sh
#
# Configure container filesystem so that single UID restriction is satisfied,
# making ignore_chown_errors=True storage configuration work properly.

echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/90-disable-sandbox.conf

0 comments on commit cfaa61d

Please sign in to comment.