diff --git a/Dockerfile b/Dockerfile index dd68828..e944a03 100644 --- a/Dockerfile +++ b/Dockerfile @@ -173,10 +173,16 @@ RUN mkdir /home/dangerzone/.containers RUN mkdir -p \ /new_root \ + /new_root/etc \ /new_root/root \ /new_root/run \ /new_root/tmp \ - /new_root/home/dangerzone/dangerzone-image/rootfs + /new_root/var \ + /new_root/home/dangerzone/dangerzone-image/rootfs \ + /new_root/home/dangerzone/dangerzone-image/rootfs/etc \ + /new_root/home/dangerzone/dangerzone-image/rootfs/opt \ + /new_root/home/dangerzone/dangerzone-image/rootfs/usr + RUN ln -s /home/dangerzone/dangerzone-image/rootfs/usr /new_root/usr RUN ln -s usr/bin /new_root/bin @@ -192,9 +198,9 @@ RUN chown dangerzone:dangerzone \ # Fix permissions in /tmp, so that it can be used by unprivileged users. RUN chmod 777 /new_root/tmp -## Final image +## Intermediate image -FROM scratch +FROM scratch AS intermediate # Copy the filesystem hierarchy that we created in the previous stage, so that # /usr can be a symlink. @@ -212,6 +218,24 @@ RUN ln -s usr/lib64 /home/dangerzone/dangerzone-image/rootfs/lib64 COPY --from=dangerzone-image /etc/ /etc/ COPY --from=dangerzone-image /var/ /var/ +RUN chmod g-s \ + /etc/ \ + /home/ \ + /var/ \ + /root/ \ + /run/ \ + /home/dangerzone/dangerzone-image/rootfs/etc/ \ + /home/dangerzone/dangerzone-image/rootfs/opt/ \ + /home/dangerzone/dangerzone-image/rootfs/usr/ + +### Final image + +FROM scratch + +# Copy the filesystem hierarchy that we created in the previous stage, so that +# /usr can be a symlink. +COPY --from=intermediate / / + # Switch to the dangerzone user for the rest of the script. USER dangerzone diff --git a/Dockerfile.in b/Dockerfile.in index 3b283a5..ad750c7 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -173,10 +173,16 @@ RUN mkdir /home/dangerzone/.containers RUN mkdir -p \ /new_root \ + /new_root/etc \ /new_root/root \ /new_root/run \ /new_root/tmp \ - /new_root/home/dangerzone/dangerzone-image/rootfs + /new_root/var \ + /new_root/home/dangerzone/dangerzone-image/rootfs \ + /new_root/home/dangerzone/dangerzone-image/rootfs/etc \ + /new_root/home/dangerzone/dangerzone-image/rootfs/opt \ + /new_root/home/dangerzone/dangerzone-image/rootfs/usr + RUN ln -s /home/dangerzone/dangerzone-image/rootfs/usr /new_root/usr RUN ln -s usr/bin /new_root/bin @@ -192,9 +198,9 @@ RUN chown dangerzone:dangerzone \ # Fix permissions in /tmp, so that it can be used by unprivileged users. RUN chmod 777 /new_root/tmp -## Final image +## Intermediate image -FROM scratch +FROM scratch AS intermediate # Copy the filesystem hierarchy that we created in the previous stage, so that # /usr can be a symlink. @@ -212,6 +218,23 @@ RUN ln -s usr/lib64 /home/dangerzone/dangerzone-image/rootfs/lib64 COPY --from=dangerzone-image /etc/ /etc/ COPY --from=dangerzone-image /var/ /var/ +RUN chmod g-s \ + /etc/ \ + /var/ \ + /root/ \ + /run/ \ + /home/dangerzone/dangerzone-image/rootfs/etc/ \ + /home/dangerzone/dangerzone-image/rootfs/opt/ \ + /home/dangerzone/dangerzone-image/rootfs/usr/ + +### Final image + +#FROM scratch + +## Copy the filesystem hierarchy that we created in the previous stage, so that +## /usr can be a symlink. +#COPY --from=intermediate / / + # Switch to the dangerzone user for the rest of the script. USER dangerzone diff --git a/dev_scripts/repro-build b/dev_scripts/repro-build index 455f08f..29bcade 100755 --- a/dev_scripts/repro-build +++ b/dev_scripts/repro-build @@ -311,7 +311,7 @@ def podman_build( if use_cache: cache_args = [ "--export-cache", - "type=local,dest=/tmp/cache", + "type=local,mode=max,dest=/tmp/cache", "--import-cache", "type=local,src=/tmp/cache", ] diff --git a/install/common/build-image.py b/install/common/build-image.py index f2e0ed9..1f017e0 100644 --- a/install/common/build-image.py +++ b/install/common/build-image.py @@ -129,7 +129,8 @@ def main(): print("Building container image") cache_args = [] if args.use_cache else ["--no-cache"] platform_args = [] if not args.platform else ["--platform", args.platform] - rootless_args = [] if args.runtime == "docker" else ["--rootless"] + # rootless_args = [] if args.runtime == "docker" else ["--rootless"] + rootless_args = [] dry_args = [] if not args.dry else ["--dry"] subprocess.run(