Replies: 2 comments
-
|
You can disable SELinux labeling entirely by putting in ~/.config/containers/containers.conf. I think even with this step it will be more secure than rootful Docker. Or for just one command, you can use |
Beta Was this translation helpful? Give feedback.
-
|
If you enable Docker with --selinux-enabled it will also work. Sadly Docker by default does not enable SELinux separation even on SELinux host platforms, providing very limited security. Someone should fix Docker to not throw an error, perhaps warning, when user specifies |
Beta Was this translation helpful? Give feedback.
-
I have a Dockerfile in a git repository with a line like this:
I tried to use
podman buildon this Dockerfile and found that I needed to add,Zonto the end of the mount options to avoid an SELinux permission error (I was testing in Fedora). With that change, the image can be built. However,docker builddoes not work with the,Zoption. Is there any subtle change that could let this step work with bothpodmananddocker?This step is just getting the code into the image. It could be replaced with a
COPYbut the current syntax is a little nicer for development because it avoids copying in any temporary files in the repo. A separate script could create a git bundle and copy that in but it is nice that the current Dockerfile does not require set up steps before building.By the way, I had to make two other small changes to switch from docker to podman. I don't know if they are worth capturing anywhere else but I will mention them here:
docker build --secret=id=secret.txtwhich apparently is equivalent todocker build --secret=id=secret.txt,src=secret.txtbut podman only supports the latter syntax.RUN --mount=source=.,target=/tmp/source,type=bindwhich worked fine with docker, but podman/buildah requires thattype=bindbe the first--mountoption.These were easy to address but are little papercuts for switching from docker to podman/buildah.
Beta Was this translation helpful? Give feedback.
All reactions