On Wed, 2020-02-19 at 14:50 +0100, Bartłomiej Piotrowski wrote: > Hello, > > For historical reasons™ all GitLab runners were running with > privileged > mode enabled. The happy side effect of this fact is that nothing > special > was ever needed to run Docker or flatpak builds. It also means we > were > extremely lucky that no one abused CAP_SYS_ADMIN and other elevated > privileges for bad things. > > For past few days I've been working to ensure that Flatpak builds are > still functional without additional privileges. If your project is > using > citemplates[1], the configuration change should be invisible to your > pipelines and you can keep on doing awesome GNOME work. However, if > you > have modified default steps via 'extends' keyword (or by defining > them > completely manually), please make sure that:
It seems like this isn't quite working as it should. This MR is porting sound-juicer to meson: https://gitlab.gnome.org/GNOME/sound-juicer/-/merge_requests/6 It uses the flatpak_ci_initiative.yml template and throws this error: bwrap: Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems. > 1) you are using the > registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome image or > your > image does not run as root, From the template: .flatpak: image: 'registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master' > 2) jobs using flatpak/flatpak-builder have "flatpak" tag defined, From the template: tags: - flatpak And in the pipeline output: https://gitlab.gnome.org/GNOME/sound-juicer/-/jobs/606529 > 3) flatpak-builder invocation includes --user -disable-rofiles-fuse > for > building; 'flatpak-builder --run' includes --disable-rofiles-fuse. In the template: script: - flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app ${MANIFEST_PATH} (also visible in the pipeline output). Is there anything else that needs to be done? > If your project's pipeline is using Docker to build an image from > Dockerfile, consider switching to podman or buildah as they should > work > unprivileged. > > The only exception from these changes are runners assigned to > gnome-build-meta. > > If you encounter any problems with running CI unprivileged, please > poke > me on #sysadmin on irc.gnome.org or via Rocket.chat. _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/desktop-devel-list
