stevedlawrence commented on a change in pull request #541:
URL: https://github.com/apache/daffodil/pull/541#discussion_r622112407
##########
File path: containers/release-candidate/README.md
##########
@@ -27,7 +27,7 @@ To build the Daffodil release candidate container image:
To use the container image to build a release run the following:
- podman run -it \
+ podman run -it --privileged \
Review comment:
Note the addition of the ``--privileged`` option when running the
release candidate container. Building the MSI installer with wine failed when I
upgraded to Fedora 34. After lots of debugging, I discovered that Fedora 34
wine would use a relatively new system call (``futex_time64``) when building
the MSI. Because of its newness, the default container seccomp policy on Fedora
33 (and likely many other not brand new systems) does not include this system
call in its whitelist, so this syscall is blocked in the container and wine
crashes. Using ``--privileged`` disables seccomp filtering, and other container
security mechanisms, and allows wine to build the MSI.
Instead of using ``--privileged``, we could create a custom seccomp policy,
but that's likely a pain to maintain. And there are other security mechanisms,
like capabilities, AppArmor, SELinux, etc., that might also get in the way at
some point in the future that the ``--privileged`` option disables. So this
option is most likely to allow things to work with future upgrades. Plus, the
contents of this container are pretty trusted to not do bad things. And even if
it was compromised, the container is still limited to what the user running the
container can do, which hopefully is a rootless container, so any damange would
be limited.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
