-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcompose.yml
More file actions
35 lines (35 loc) · 1.39 KB
/
compose.yml
File metadata and controls
35 lines (35 loc) · 1.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
services:
builder:
container_name: ${BUILDER_NAME:-buildcage}
build:
context: docker
dockerfile: Dockerfile
# Instead of privileged: true, grant only the minimum privileges required
# to run BuildKit and iptables. This avoids granting full device access
# and unrestricted /sys write permissions that privileged mode includes.
#
# BuildKit OCI worker requires SYS_ADMIN for mount, namespaces, and cgroups.
# iptables and CNI networking require NET_ADMIN.
# runc needs SYS_PTRACE to access /proc/PID/ns/mnt for mount namespace setup.
cap_add:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
# BuildKit/runc needs syscalls (mount, unshare, pivot_root) blocked by
# default seccomp and AppArmor profiles.
security_opt:
- seccomp=unconfined
- apparmor=unconfined
# Share the host's cgroup namespace so BuildKit can manage cgroups for
# build containers. The volume mount makes /sys/fs/cgroup writable
# (read-only by default in non-privileged containers).
cgroup: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
environment:
- PROXY_MODE=${PROXY_MODE:-restrict}
- ALLOWED_HTTPS_RULES=${ALLOWED_HTTPS_RULES:-}
- ALLOWED_HTTP_RULES=${ALLOWED_HTTP_RULES:-}
- ALLOWED_IP_RULES=${ALLOWED_IP_RULES:-}
- EXTERNAL_RESOLVER=${EXTERNAL_RESOLVER:-1.1.1.1,8.8.8.8}
restart: unless-stopped