776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
|
Fortunately, it’s easy enough to have it both ways. Simply run your
`podman` commands as root:
```
$ sudo podman build -t fossil --cap-add MKNOD .
$ sudo podman create \
--name fossil \
--cap-drop AUDIT_WRITE \
--cap-drop NET_RAW \
|
<
<
|
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
|
Fortunately, it’s easy enough to have it both ways. Simply run your
`podman` commands as root:
```
$ sudo podman build -t fossil --cap-add MKNOD .
$ sudo podman create \
--name fossil \
--cap-drop CHOWN \
--cap-drop FSETID \
--cap-drop KILL \
--cap-drop NET_BIND_SERVICE \
--cap-drop SETFCAP \
--cap-drop SETPCAP \
--publish 9999:8080 \
localhost/fossil
$ sudo podman start fossil
```
|
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
|
group, you get silent root privilege escalation on your build machine.
This is why Podman defaults to rootless containers. If you can get away
with it, it’s a better way to work. We would not be recommending
running `podman` under `sudo` if it didn’t buy us [something we wanted
badly](#chroot).
Notice that we had to add the ability to run `mknod(8)` during the
build. Unlike Docker, Podman sensibly denies this by default, which
lets us leave off the corresponding `--cap-drop` option.
##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman
If you have a remote host where the Fossil instance needs to run, it’s
possible to get around this need to build the image as root on the
remote system. You still have to build as root on the local system, but
|
|
|
>
>
>
>
>
|
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
|
group, you get silent root privilege escalation on your build machine.
This is why Podman defaults to rootless containers. If you can get away
with it, it’s a better way to work. We would not be recommending
running `podman` under `sudo` if it didn’t buy us [something we wanted
badly](#chroot).
Notice that we had to add the ability to run `mknod(8)` during the
build. [Podman sensibly denies this by default][nomknod], which lets us
leave off the corresponding `--cap-drop` option. Podman also denies
`CAP_NET_RAW` and `CAP_AUDIT_WRITE` by default, which we don’t need, so
we’ve simply removed them from the `--cap-drop` list relative to the
commands for Docker above.
[nomknod]: https://github.com/containers/podman/issues/15626
##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman
If you have a remote host where the Fossil instance needs to run, it’s
possible to get around this need to build the image as root on the
remote system. You still have to build as root on the local system, but
|