[projects/cleanbuild] prevent builder accessing network (block resolv.conf access)
glen
glen at pld-linux.org
Wed Jun 14 22:50:56 CEST 2017
commit 4f6e2b515b98ba137dfcde393db3db0658b4bfb8
Author: Elan Ruusamäe <glen at pld-linux.org>
Date: Wed Jun 14 23:46:52 2017 +0300
prevent builder accessing network (block resolv.conf access)
docker-builder.sh | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
---
diff --git a/docker-builder.sh b/docker-builder.sh
index e2a932d..5b262b1 100755
--- a/docker-builder.sh
+++ b/docker-builder.sh
@@ -28,10 +28,13 @@ docker run --name=$name -d \
$image
# these paths need to be accessible for builder
-docker exec --user root $name chown builder:builder rpm/logs rpm/BUILD .ccache
+docker exec --user=root $name chown builder:builder rpm/logs rpm/BUILD .ccache
-# fetch sources
-docker exec $name builder -g $package
+# fetch sources and install deps
+docker exec $name builder -g -R $package
+
+# prevent network access like pld builders do
+docker exec --user=root $name setfacl -m u:builder:--- /etc/resolv.conf
git_tag=$(GIT_DIR=$topdir/packages/$package/.git git describe --tags --always)
buildlog=rpm/logs/${git_tag#auto/*/}.log
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/projects/cleanbuild.git/commitdiff/4f6e2b515b98ba137dfcde393db3db0658b4bfb8
More information about the pld-cvs-commit
mailing list