Package Details: docker-rootless-extras 25.0.3-1

Git Clone URL: https://aur.archlinux.org/docker-rootless-extras.git (read-only, click to copy)
Package Base: docker-rootless-extras
Description: Extras to run docker as non-root.
Upstream URL: https://docs.docker.com/engine/security/rootless/
Keywords: containers docker isolation rootless
Licenses: Apache
Conflicts: docker-rootless, docker-rootless-extras, docker-rootless-extras-bin
Provides: docker-rootless, docker-rootless-extras, docker-rootless-extras-bin
Submitter: whynothugo
Maintainer: Stebalien
Last Packager: Stebalien
Votes: 28
Popularity: 0.49
First Submitted: 2021-04-14 17:58 (UTC)
Last Updated: 2024-02-16 18:10 (UTC)

Pinned Comments

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 Next › Last »

gamezelda commented on 2021-06-05 16:55 (UTC)

You forgot to update the checksum on the 20.10.5 -> 20.10.6 update.

gamezelda commented on 2021-06-05 16:47 (UTC)

I also get the checksum error when running makepkg.

After looking at the ArchWiki and the source of makepkg a bit I think the correct syntax is:

source=(...the 3 common files...)
source_x86_64=(...the x86_64 specific file...)
source_aarch64=(...the aarch64 specific file...)

sha256sums=(...the checksums for the 3 common files...)
sha256sums_x86_64=(...the checksum for the x86_64 specific file...)
sha256sums_aarch64=(...the checksum for the aarch64 specific file...)

Also, at first sight I don't think the aarch64 build is going to work, since using $arch is going to always give you the first element of the arch array = x86_64.

whynothugo commented on 2021-05-28 20:07 (UTC)

As far as I understand, merely enabling kernel.unprivileged_userns_clone makes vulnerabilities more exploitable, they don't necessarily have to be vulnerabilities in docker or podman.

MartinX3 commented on 2021-05-27 17:30 (UTC)

@psvoboda @whynothugo While it uses kernel.unprivileged_userns_clone=1, it's far more secure than docker. Podman doesn't use a Client/Server architecture with a root daemon. Also it got developed with rootless mode in mind. Docker-Rootless got added many years later as an still experimental addon.

You could say Docker is the Dinosaur from 2013 where there trying to fix their architecture and Podman the Homo Sapiens Sapiens from 2019.

Here you can read more about it https://www.ti8m.com/blog/Why-Podman-is-worth-a-look-.html

whynothugo commented on 2021-05-27 16:41 (UTC)

That's correct, podman rootless depends on the samething.

Docker-as-root might be best, with some features (priviledged, etc) disabled. I've been looking into writing a plugin that disabled such features, but it's... hard.

psvoboda commented on 2021-05-27 15:04 (UTC)

@MartinX3 Podman in rootless mode has the same serious security implications since it relies on kernel.unprivileged_userns_clone=1 as well, doesn't it?

MartinX3 commented on 2021-05-26 18:58 (UTC)

If you're a security aware user, I recommend

to build containers: https://github.com/containers/buildah

to run containers: https://github.com/containers/podman Podman also has podman-compose

Or if you have a network of several servers: https://github.com/kubernetes/kubernetes

whynothugo commented on 2021-05-26 14:14 (UTC)

I'm going to stop maintaining this package since it actually has some serious security implications (since docker-rootless relies on kernel.unprivileged_userns_clone=1).

I suggest you read this answer if you're going to continue using this package: https://security.stackexchange.com/a/209533

Running docker as root is likely far safer. Consider podman if that's not an option for you.

whynothugo commented on 2021-05-26 14:13 (UTC)

I'm going to stop maintaining this package since it actually has some serious security implications (since docker-rootless relies on kernel.unprivileged_userns_clone=1).

I suggest you read this answer if you're going to continue using this package: https://security.stackexchange.com/a/209533

Running docker as root is likely far safer. Consider podman if that's not an option for you.

Loader009 commented on 2021-05-20 20:02 (UTC)

It is more like another error than wrong hashes - you don't get the error message with makepkg?