Add comments explaining why privileges are granted individually

dash14 · dash14 · commit 8a5af1f1f501 · 2026-03-03T21:48:21.000+09:00
diff --git a/compose.yml b/compose.yml
@@ -3,6 +3,10 @@ services:
     build:
       context: docker
       dockerfile: Dockerfile
+    # Instead of privileged: true, grant only the minimum privileges required
+    # to run BuildKit and iptables. This avoids granting full device access
+    # and unrestricted /sys write permissions that privileged mode includes.
+    #
     # BuildKit OCI worker requires SYS_ADMIN for mount, namespaces, and cgroups.
     # iptables and CNI networking require NET_ADMIN.
     # runc needs SYS_PTRACE to access /proc/PID/ns/mnt for mount namespace setup.
diff --git a/setup/compose.yml b/setup/compose.yml
@@ -1,6 +1,10 @@
 services:
   builder:
     image: ${BUILDCAGE_IMAGE}:${BUILDCAGE_VERSION:-1}
+    # Instead of privileged: true, grant only the minimum privileges required
+    # to run BuildKit and iptables. This avoids granting full device access
+    # and unrestricted /sys write permissions that privileged mode includes.
+    #
     # BuildKit OCI worker requires SYS_ADMIN for mount, namespaces, and cgroups.
     # iptables and CNI networking require NET_ADMIN.
     # runc needs SYS_PTRACE to access /proc/PID/ns/mnt for mount namespace setup.
