After porting some build scripts into drone I’m facing the problem to build flatpak extensions. It boils down to running the flatpak-builder tool.
flatpak, being a sandbox environment, does some odd things. In the end, it needs a custom seccomp profile. The profile is derived from the default, with two added syscalls: clone and pivot_root.
Is it possible to apply a custom seccomp profile on a docker instance on drone.io somehow?
Hi @leamas, I have the same issue, I want to use a custom seccomp profile to be able to run Chromium headless inside Drone.
Did you find a solution on your side?
No. I have given up the attempts to run flatpak-builder inside drone.
OK, thanks for the answer!
Have you tried setting privileged: true for your pipeline step? This should be a viable solution. See https://docs.drone.io/pipeline/docker/syntax/steps/#privileged-mode
Indeed. But do I have access to a trusted repository in the sense which is required here?
More dialog with with Dr Google. As I understand it I should be able to fix this if I run my own instance, but not on drone.io
More dialog with with Dr Google. As I understand it I should be able to fix this if I run my own instance, but not on drone.io
correct, we do no enable privileged mode on Drone cloud, which means you would need to self-host.
I @bradrydzewski thanks for the idea!
When I use privileged: true with drone exec I have the following error:
linter: untrusted repositories cannot enable privileged mode
Do you know if I can use drone exec with privileged: true?
(drone exec is really cool to debug locally).
Another thing about privileged: true is that I fear it will give too much authorization to docker containers. The docker seccomp profile option looks better to me.
Do you think Drone.io could include this feature?
@leamas for info, I have found that it is possible to change the docker seccomp profile for the docker daemon directly. It’s not a perfect workaround (again, it’s too much authorization, I would prefer to avoid changing seccomp profile system-wide) but it exists. See dockerd | Docker Documentation
You can use the drone exec --privileged flag
If you receive this error in the user interface, a Drone system administrator will need to mark the repository as trusted. See this thread for more details.
You can use the drone exec --privileged flag
Nice, thanks!
I just tested and it doesn’t fix the issue I have with running Chromium inside Drone docker container.
Changing docker daemon seccomp fixes it but it’s too wide.
The ideal solution would be to be able to pass docker container run command a custom --security-opt argument.