diff options
author | zer0def | 2020-11-05 10:38:49 +0100 |
---|---|---|
committer | zer0def | 2020-11-05 10:38:49 +0100 |
commit | 99c1affb4a768a7e49abc275f01a7c918a75ab8f (patch) | |
tree | aee39e5a4f0d85a3f97a6482b1f2981ad0272512 | |
parent | 161ad664a34245d74f4f676cd0ce93c129f670c2 (diff) | |
download | aur-99c1affb4a768a7e49abc275f01a7c918a75ab8f.tar.gz |
Warn the user about security implications of the current image build process as-is
-rw-r--r-- | .SRCINFO | 3 | ||||
-rw-r--r-- | PKGBUILD | 3 | ||||
-rw-r--r-- | kata-containers-guest.install | 17 |
3 files changed, 21 insertions, 2 deletions
@@ -1,7 +1,7 @@ pkgbase = kata-containers-guest pkgdesc = Lightweight virtual machines for containers (guest components) pkgver = 1.11.4 - pkgrel = 4 + pkgrel = 5 url = https://katacontainers.io/ arch = x86_64 license = Apache @@ -44,4 +44,5 @@ pkgname = kata-agent pkgname = kata-linux-container pkgname = kata-containers-image + install = kata-containers-guest.install @@ -9,7 +9,7 @@ pkgname=( ) pkgver=1.11.4 _pkgver=${pkgver/\~/-} -pkgrel=4 +pkgrel=5 pkgdesc="Lightweight virtual machines for containers (guest components)" arch=('x86_64') url="https://katacontainers.io/" @@ -153,6 +153,7 @@ package_kata-agent(){ } package_kata-containers-image(){ + install=kata-containers-guest.install local -r _img_filename="kata-containers-${_pkgver%%~*}-arch-systemd-image.img" _initrd_filename="kata-containers-${_pkgver%%~*}-arch-agent-initrd.img" install -Dm 0644 "${srcdir}/osbuilder-${_pkgver}/image-builder/kata-containers.img" "${pkgdir}/usr/share/kata-containers/${_img_filename}" install -Dm 0644 "${srcdir}/initrd-arch-agent.img" "${pkgdir}/usr/share/kata-containers/${_initrd_filename}" diff --git a/kata-containers-guest.install b/kata-containers-guest.install new file mode 100644 index 000000000000..66c817eb97ca --- /dev/null +++ b/kata-containers-guest.install @@ -0,0 +1,17 @@ +post_install() { + cat <<EOF + +Due to backflips made to be able to build the Kata guest image (not initrd!) +without root account access, rootfs has uid:gid of the builer's user account. + +This might have subtle security implications and if that's not acceptable, +the user could do one of the following: + +- alter the build process to use upstream's \`image_builder.sh\` to build + the image from rootfs created via \`pacman\`, with root priviledges +- use the \`-bin\`-suffixed package, containing upstream-built images + +By installing this package as-is, the user acknowledges this warning. + +EOF +} |