chore: adding backlog of additions

This commit is contained in:
Tommy 2024-11-03 21:28:20 +01:00
parent 28ff5da7ed
commit d5380d1ea2
Signed by: tommy
SSH key fingerprint: SHA256:1LWgQT3QPHIT29plS8jjXc3S1FcE/4oGvsx3Efxs6Uc
24 changed files with 534 additions and 38 deletions

View file

@ -1,6 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import os import os
import yaml import yaml
import subprocess
import logging import logging
from jinja2 import Environment, PackageLoader, select_autoescape from jinja2 import Environment, PackageLoader, select_autoescape
@ -14,7 +15,6 @@ repo_name = os.getenv("REPO_NAME") or os.getenv("GITHUB_REPOSITORY", "default_re
env = Environment(loader=PackageLoader("render-readme"), autoescape=select_autoescape()) env = Environment(loader=PackageLoader("render-readme"), autoescape=select_autoescape())
def load_metadata(file_path): def load_metadata(file_path):
try: try:
with open(file_path, "r") as f: with open(file_path, "r") as f:
@ -25,7 +25,6 @@ def load_metadata(file_path):
logging.error(f"File {file_path} not found.") logging.error(f"File {file_path} not found.")
return None return None
def process_metadata(apps_dir): def process_metadata(apps_dir):
app_images = [] app_images = []
for subdir, _, files in os.walk(apps_dir): for subdir, _, files in os.walk(apps_dir):
@ -36,7 +35,14 @@ def process_metadata(apps_dir):
if not meta: if not meta:
continue # Skip if metadata couldn't be loaded continue # Skip if metadata couldn't be loaded
# Iterate through the channels and build image metadata dockerfile_path = os.path.join(subdir, "Dockerfile")
docker_labels = load_docker_labels(dockerfile_path)
# Compliance check and badge setting
goss_file = os.path.join(subdir, "ci", "goss.yaml")
print(goss_file)
badge = run_compliance_check(goss_file)
for channel in meta.get("channels", []): for channel in meta.get("channels", []):
name = ( name = (
meta["app"] meta["app"]
@ -46,13 +52,71 @@ def process_metadata(apps_dir):
image = { image = {
"name": name, "name": name,
"channel": channel["name"], "channel": channel["name"],
"html_url": f"https://code.252.no/{repo_owner}/pkgs/container/{name}", "version": meta["version"],
"platforms": channel["platforms"],
"tests_enabled": channel["tests"]["enabled"],
"tests_type": channel["tests"]["type"],
"html_url": f"https://code.252.no/{repo_owner}/containers/{name}",
"owner": repo_owner, "owner": repo_owner,
"maintainer": docker_labels.get("maintainer"),
"description": docker_labels.get("org.opencontainers.image.description"),
"source": docker_labels.get("org.opencontainers.image.source"),
"vendor": docker_labels.get("org.opencontainers.image.vendor"),
"authors": docker_labels.get("org.opencontainers.image.authors"),
"badge": badge,
} }
app_images.append(image) app_images.append(image)
logging.info(f"Added image {name} from channel {channel['name']}") logging.info(f"Added image {name} from channel {channel['name']} with badge {badge}")
return app_images return app_images
def load_docker_labels(dockerfile_path):
labels = {}
try:
with open(dockerfile_path, "r") as f:
for line in f:
if line.startswith("LABEL"):
label_parts = line.split("=", 1)
if len(label_parts) == 2:
key, value = label_parts
key = key.replace("LABEL ", "").strip().replace("\"", "")
value = value.strip().replace("\"", "")
labels[key] = value
except FileNotFoundError:
logging.warning(f"Dockerfile {dockerfile_path} not found.")
return labels
def run_compliance_check(goss_file, image_name):
"""Run compliance test using dgoss and return appropriate badge path."""
if not os.path.exists(goss_file):
logging.warning(f"Compliance file {goss_file} not found.")
return "assets/build-failing-red.svg" # Default to failing badge if no compliance file
# Set up the environment variables needed for dgoss
env = os.environ.copy()
env["CONTAINER_RUNTIME"] = "docker"
env["GOSS_FILE"] = goss_file
env["GOSS_OPTS"] = "--retry-timeout 60s --sleep 2s --color --format documentation"
env["GOSS_SLEEP"] = "2"
env["GOSS_FILES_STRATEGY"] = "cp"
print("Running dgoss with file:", goss_file, "on image:", image_name)
# Run dgoss against the container image
result = subprocess.run(
["dgoss", "run", image_name],
capture_output=True,
env=env,
shell=True # Necessary to handle dgoss's internal shell scripts
)
output = result.stdout.decode()
print(output) # Decode and print output for logging
if result.returncode == 0:
logging.info(f"Compliance check passed for {goss_file}")
return "assets/badges/build-passing-brightgreen.svg"
else:
logging.error(f"Compliance check failed for {goss_file}")
return "assets/build-failing-red.svg"
if __name__ == "__main__": if __name__ == "__main__":
apps_dir = "./apps" apps_dir = "./apps"
@ -64,4 +128,4 @@ if __name__ == "__main__":
f.write(template.render(app_images=app_images)) f.write(template.render(app_images=app_images))
logging.info("README.org successfully generated.") logging.info("README.org successfully generated.")
except Exception as e: except Exception as e:
logging.error(f"Error rendering template: {e}") logging.error(f"Error rendering template: {e}")

View file

@ -8,7 +8,7 @@
#+BEGIN_EXPORT html #+BEGIN_EXPORT html
<div align="center"> <div align="center">
<h1>Container Collection</h1> <h1>Container Collection</h1>
<h3>Containers for Kubernetes deployment_</h3> <h4>Images for Kubernetes deployments</h4>
<img src="https://code.252.no/tommy/containers/raw/branch/main/assets/macchiato-palette.png" width="600" align="center"/> <img src="https://code.252.no/tommy/containers/raw/branch/main/assets/macchiato-palette.png" width="600" align="center"/>
<p></p> <p></p>
<a href="https://nixos.wiki/wiki/Flakes" target="_blank"> <a href="https://nixos.wiki/wiki/Flakes" target="_blank">

View file

@ -0,0 +1,40 @@
name: "Build and Push Images with Podman in Colima Using Custom Seccomp Profile"
on:
push:
paths:
- 'apps/*/Dockerfile'
workflow_dispatch:
jobs:
build-and-push:
name: Build and Push Images with Podman and Custom Seccomp Profile in Colima
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Install Podman Dependencies
run: |
sudo apt-get update
sudo apt-get install -y podman slirp4netns fuse-overlayfs
- name: Build and Push Images with Custom Seccomp Profile
run: |
export REGISTRY_USER=$GITHUB_REPOSITORY_OWNER
export REGISTRY_PASS=$GITHUB_TOKEN
SEC_PROFILE=./podman-seccomp.json
for dockerfile in $(find ./apps -name Dockerfile); do
app_name=$(basename $(dirname $dockerfile))
image="code.252.no/tommy/containers/${app_name}:latest"
# Use the seccomp profile within Colima
sudo podman build --security-opt seccomp=unconfined --tls-verify=false -t $image -f $dockerfile
echo $REGISTRY_PASS | sudo podman login code.252.no -u $REGISTRY_USER --password-stdin
sudo podman push --security-opt seccomp=$SEC_PROFILE $image --tls-verify=false
done
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}

View file

@ -25,7 +25,12 @@ jobs:
shell: bash shell: bash
run: pip install -r ./.forgejo/scripts/requirements.txt && pip freeze run: pip install -r ./.forgejo/scripts/requirements.txt && pip freeze
- name: Render README - name: Install Goss
shell: bash
run: |
curl -fsSL https://goss.rocks/install | sh
- name: Run Compliance Tests and Render README
env: env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
shell: bash shell: bash
@ -40,4 +45,4 @@ jobs:
git config --global user.email "tommy+forgejo@252.no" git config --global user.email "tommy+forgejo@252.no"
git add ./README.org git add ./README.org
git commit -m "chore: render README.org" || echo "No changes to commit" git commit -m "chore: render README.org" || echo "No changes to commit"
git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push" #git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push"

20
.taskfiles/docker.yaml Normal file
View file

@ -0,0 +1,20 @@
version: "3"
tasks:
create-image:
desc: Build local docker image (nixos-builder)
cmds:
- nerdctl build --platform linux/amd64 -t nixos-builder --no-cache apps/lix-builder
shell:
desc: Drop into a build shell
env:
app: "{{ .app }}"
cmds:
- nerdctl run -v "$(pwd)/apps/{{.app}}":/root/working-dir -w /root/working-dir --platform linux/amd64 -it nixos-builder -c "nix develop"
cache:
desc: Start an attic server
dir: "attic"
cmds:
- nerdctl run -it --rm --name=attic -p 8080:8080 -v ./config:/var/empty/.config/attic -v ./data:/var/empty/.local/share/attic docker.io/heywoodlh/attic

View file

@ -1,20 +1,14 @@
version: "3" version: "3"
vars: vars:
LABELS_CONFIG_FILE: '{{.ROOT_DIR}}/.github/labels.yaml' PROJECT_DIR:
sh: "git rev-parse --show-toplevel"
includes:
docker: .taskfiles/docker.yaml
tasks: tasks:
default: default:
cmd: task -l
silent: true silent: true
append-app-labels:
desc: Append app labels to the labels config file
cmds: cmds:
- for: {var: apps} - task -l
cmd: |
yq -i '. += [{"name": "app/{{.ITEM}}", "color": "0e8a16"}]' {{.LABELS_CONFIG_FILE}}
vars:
apps:
sh: for dir in {{.ROOT_DIR}}/apps/*/; do basename "${dir}"; done
silent: true

View file

@ -1,7 +1,14 @@
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
LABEL maintainer="tommy@252.no"
LABEL org.opencontainers.image.title="Forgejo Runner"
LABEL org.opencontainers.image.description="Forgejo Runner for Kubernetes with minimal privileges"
LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/forgejo-runner"
LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers"
LABEL org.opencontainers.image.vendor="https://code.252.no/tommy"
LABEL org.opencontainers.image.authors="tommy@252.no"
# #
# Transparently cross compile for the target platform # Transparently cross compile for the target platform
# #
@ -25,17 +32,6 @@ RUN apk add --no-cache git bash
COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner
LABEL maintainer="contact@forgejo.org" \
org.opencontainers.image.authors="Forgejo" \
org.opencontainers.image.url="https://forgejo.org" \
org.opencontainers.image.documentation="https://forgejo.org/docs/latest/admin/actions/#forgejo-runner" \
org.opencontainers.image.source="https://code.forgejo.org/forgejo/runner" \
org.opencontainers.image.version="${RELEASE_VERSION}" \
org.opencontainers.image.vendor="Forgejo" \
org.opencontainers.image.licenses="MIT" \
org.opencontainers.image.title="Forgejo Runner" \
org.opencontainers.image.description="A runner for Forgejo Actions."
ENV HOME=/data ENV HOME=/data
USER 1000:1000 USER 1000:1000

View file

@ -1,4 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/goss-org/goss/master/docs/schema.yaml
file:
/usr/bin/git:
exists: true

View file

@ -1,5 +1,5 @@
app: forgejo-runner app: forgejo-runner
versioning: calver version: 24.10.01
channels: channels:
- name: stable - name: stable
platforms: ["linux/amd64"] platforms: ["linux/amd64"]

48
apps/kaniko/Dockerfile Normal file
View file

@ -0,0 +1,48 @@
# Set the Alpine version for consistency
ARG ALPINE_VERSION=3.20.3
# First stage: Build Kaniko executor
FROM alpine:${ALPINE_VERSION} AS kaniko-build
# Install necessary tools
RUN apk --update --no-cache add skopeo umoci
# Set working directory
WORKDIR /workdir-kaniko
# Specify Kaniko version
ARG KANIKO_VERSION=1.23.2
# Copy Kaniko executor using skopeo
RUN skopeo copy docker://gcr.io/kaniko-project/executor:v${KANIKO_VERSION} oci:kaniko:current
# Unpack the Kaniko executor
RUN umoci unpack --image kaniko:current unpacked
# Second stage: Create the final image
FROM alpine:${ALPINE_VERSION}
# Add a non-root user with UID and GID 1001
RUN addgroup -S kaniko -g 1001 && adduser -S kaniko -u 1001 -G kaniko
# Create necessary directories and set ownership and permissions
RUN mkdir -p /opt/kaniko /kaniko && \
chown -R kaniko:kaniko /opt/kaniko /kaniko && \
chmod -R 775 /opt/kaniko /kaniko
# Copy the Kaniko executor from the build stage
COPY --from=kaniko-build /workdir-kaniko/unpacked/rootfs/kaniko/executor /opt/kaniko/kaniko
# Ensure the executor has the correct ownership and execute permissions
RUN chown -R kaniko:kaniko /opt/kaniko/kaniko && \
chmod +x /opt/kaniko/kaniko
# Set environment variables
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kaniko
ENV DOCKER_CONFIG=/opt/kaniko/.docker/
# Switch to the non-root user
USER kaniko
# Define the entrypoint
ENTRYPOINT ["/opt/kaniko/kaniko"]

0
apps/kaniko/ci/goss.yaml Normal file
View file

5
apps/kaniko/ci/latest.sh Normal file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env bash
version=$(curl -sX GET "https://api.github.com/repos/actions/runner/releases/latest" | jq --raw-output '.tag_name')
version="${version#*v}"
version="${version#*release-}"
printf "%s" "${version}"

View file

@ -0,0 +1,9 @@
app: kaniko
version: 24.10.01
channels:
- name: stable
platforms: ["linux/amd64"]
stable: false
tests:
enabled: true
type: cli

8
apps/kaniko/readme.org Normal file
View file

@ -0,0 +1,8 @@
#+begin_src sh
nerdctl build \
--platform linux/amd64 \
-t code.252.no/tommy/kaniko:v24.10.01 \
--output=type=image,name=code.252.no/tommy/kaniko:v24.10.01,push=true .
#+end_src

View file

@ -0,0 +1,18 @@
FROM nixos/nix:2.18.9
LABEL maintainer="tommy@252.no"
LABEL org.opencontainers.image.title="Nix Builder"
LABEL org.opencontainers.image.description="Builder for Lix Flake and Snowfall environments"
LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/lix-builder"
LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers"
LABEL org.opencontainers.image.vendor="https://code.252.no/tommy"
LABEL org.opencontainers.image.authors="tommy@252.no"
WORKDIR /tmp/working-dir
RUN echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
RUN nix-channel --update
RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere nixpkgs.slirp4netns nixpkgs.podman nixpkgs.podman-tui
ENTRYPOINT ["fish"]

View file

View file

@ -0,0 +1,61 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1730200266,
"narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

View file

@ -0,0 +1,88 @@
{
description = "docker base images";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
let
system = "x86_64-linux";
pkgs = import nixpkgs { inherit system; };
in
{
packages = {
hello = pkgs.dockerTools.buildImage {
name = "hello-docker";
config = {
Cmd = [ "${pkgs.hello}/bin/hello" ];
};
};
flakes-action = pkgs.dockerTools.buildImageWithNixDb {
name = "code.252.no/tommy/flakes-action";
tag = "latest";
copyToRoot = pkgs.buildEnv {
name = "image-root";
pathsToLink = ["/bin" "/etc"];
ignoreCollisions = true;
paths = with pkgs; [
coreutils-full
docker
bash
cacert
coreutils
curl
gawk
gitFull
git-lfs
gnused
gnutar
gzip
nixVersions.stable
nodejs
openssh
sudo
wget
xz
zstd
(pkgs.writeTextFile {
name = "nix.conf";
destination = "/etc/nix/nix.conf";
text = ''
accept-flake-config = true
experimental-features = nix-command flakes
'';
})
];
};
extraCommands = ''
# for /usr/bin/env
mkdir usr
ln -s ../bin usr/bin
# make sure /tmp exists
mkdir -m 1777 tmp
# need a HOME
mkdir -vp root
'';
config = {
Cmd = ["/bin/bash"];
Env = [
"NIX_PATH=nixpkgs=${nixpkgs}"
"LANG=en_GB.UTF-8"
"ENV=/etc/profile.d/nix.sh"
"BASH_ENV=/etc/profile.d/nix.sh"
"NIX_BUILD_SHELL=/bin/bash"
"PAGER=cat"
"PATH=/usr/bin:/bin"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"USER=root"
];
};
};
};
};
}

View file

@ -0,0 +1,102 @@
apiVersion: v1
kind: Namespace
metadata:
name: builds
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: latest
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: latest
---
apiVersion: v1
kind: Pod
metadata:
name: kaniko
namespace: builds
spec:
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
seccompProfile:
type: Unconfined
containers:
- name: kaniko
image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0
resources:
limits:
cpu: 1000m
memory: 2Gi
command: ["/opt/kaniko/kaniko"]
args:
- --dockerfile=Dockerfile
#- --reproducible
- --context=/kaniko
- --custom-platform=linux/amd64
- --destination=code.252.no/tommy/lix-builder:v24.10.01
#- --dockerfile=Dockerfile
#- --reproducible
#- --kaniko-dir=/workspace/kaniko
#- --context=/workspace
#- --custom-platform=linux/amd64
#- --destination=code.252.no/tommy/lix-builder:v24.10.01
#- --cache=true
#- --compressed-caching=false
#- --use-new-run
#- --cleanup
volumeMounts:
# - name: workspace-dir
# mountPath: /workspace
- name: docker-config
mountPath: /opt/kaniko/.docker/config.json
subPath: config.json
- name: dockerfile
mountPath: /kaniko/Dockerfile
subPath: Dockerfile
securityContext:
runAsUser: 1001
privileged: false
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
add:
- CHOWN
- FOWNER
- DAC_OVERRIDE
- SYS_ADMIN
restartPolicy: Never
volumes:
# - name: workspace-dir
# emptyDir: {}
- name: docker-config
secret:
secretName: tommy-pushsecret-rw
items:
- key: .dockerconfigjson
path: config.json
- name: dockerfile
configMap:
name: dockerfile
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dockerfile
namespace: builds
data:
Dockerfile: |
FROM ghcr.io/lix-project/lix:2.91
WORKDIR /tmp/working-dir
RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \
nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \
nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \
nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \
nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere
ENTRYPOINT ["fish"]

View file

@ -0,0 +1,9 @@
app: lix-builder
version: v24.10.01
channels:
- name: stable
platforms: ["linux/amd64"]
stable: false
tests:
enabled: true
type: cli

View file

@ -0,0 +1,6 @@
filter-syscalls = false
experimental-features = nix-command flakes
extra-platforms = x86_64-linux aarch64-linux
build-users-group = nixbld
trusted-users = root @admin @wheel vscode
system-features = kvm big-parallel

View file

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="80" height="20" role="img" aria-label="build: failing"><title>build: failing</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="80" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="37" height="20" fill="#555"/><rect x="37" width="43" height="20" fill="#e05d44"/><rect width="80" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="195" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="270">build</text><text x="195" y="140" transform="scale(.1)" fill="#fff" textLength="270">build</text><text aria-hidden="true" x="575" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="330">failing</text><text x="575" y="140" transform="scale(.1)" fill="#fff" textLength="330">failing</text></g></svg>

After

Width:  |  Height:  |  Size: 1.1 KiB

View file

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="88" height="20" role="img" aria-label="build: passing"><title>build: passing</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="88" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="37" height="20" fill="#555"/><rect x="37" width="51" height="20" fill="#4c1"/><rect width="88" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="195" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="270">build</text><text x="195" y="140" transform="scale(.1)" fill="#fff" textLength="270">build</text><text aria-hidden="true" x="615" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="410">passing</text><text x="615" y="140" transform="scale(.1)" fill="#fff" textLength="410">passing</text></g></svg>

After

Width:  |  Height:  |  Size: 1.1 KiB

25
podman-seccomp.json Normal file
View file

@ -0,0 +1,25 @@
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"names": [
"keyctl",
"syslog",
"mknod",
"mknodat",
"pkey_mprotect",
"kexec_load",
"open_by_handle_at",
"init_module",
"finit_module",
"delete_module",
"bpf"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "Deny potentially risky syscalls that could impact system integrity",
"includes": {},
"excludes": {}
}
]
}