The build fails again with a checksum error:
==> ERROR: Integrity checks (sha256) differ in size from the source array.
Git Clone URL: | https://aur.archlinux.org/docker-rootless-extras.git (read-only, click to copy) |
---|---|
Package Base: | docker-rootless-extras |
Description: | Extras to run docker as non-root. |
Upstream URL: | https://docs.docker.com/engine/security/rootless/ |
Keywords: | containers docker isolation rootless |
Licenses: | Apache |
Conflicts: | docker-rootless, docker-rootless-extras, docker-rootless-extras-bin |
Provides: | docker-rootless, docker-rootless-extras, docker-rootless-extras-bin |
Submitter: | whynothugo |
Maintainer: | the-k |
Last Packager: | the-k |
Votes: | 35 |
Popularity: | 1.57 |
First Submitted: | 2021-04-14 17:58 (UTC) |
Last Updated: | 2025-05-31 11:31 (UTC) |
The build fails again with a checksum error:
==> ERROR: Integrity checks (sha256) differ in size from the source array.
Fixed, thanks.
Besides the checksum error, some of the files as currently packaged conflict with the docker-rootless
and docker-rootless-bin
packages: rootlesskit
and rootlesskit-docker-proxy
are already installed by these packages. The rm
invocation at the end removes rootlesskit
but not rootlesskit-docker-proxy
. This causes a conflict between rootlesskit
and docker-rootless-extras-bin
.
I'd suggest that we remove the rm
invocation and only copy the non-conflicting files in $srcdir/docker-rootless-extras
into the $pkgdir
, like this:
diff --git a/PKGBUILD b/PKGBUILD
index 93856d5..0232d7a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -38,11 +38,10 @@ sha256sums_aarch64=(
package() {
mkdir -p "$pkgdir/usr/bin/"
- install -Dm755 "$srcdir/docker-rootless-extras/"* "$pkgdir/usr/bin/"
+ install -Dm755 "$srcdir/docker-rootless-extras/dockerd-rootless-setuptool.sh" "$pkgdir/usr/bin/"
+ install -Dm755 "$srcdir/docker-rootless-extras/dockerd-rootless.sh" "$pkgdir/usr/bin/"
+ install -Dm755 "$srcdir/docker-rootless-extras/vpnkit" "$pkgdir/usr/bin/"
install -Dm644 "$srcdir/docker.service" "$pkgdir/usr/lib/systemd/user/docker.service"
install -Dm644 "$srcdir/docker.socket" "$pkgdir/usr/lib/systemd/user/docker.socket"
install -Dm644 "$srcdir/99-docker-rootless.conf" "$pkgdir/usr/lib/sysctl.d/99-docker-rootless.conf"
-
- # Delete files provided by `rootlesskit`.
- rm "$pkgdir/usr/bin/rootlessctl" "$pkgdir/usr/bin/rootlesskit"
}
You forgot to update the checksum on the 20.10.5 -> 20.10.6 update.
I also get the checksum error when running makepkg.
After looking at the ArchWiki and the source of makepkg a bit I think the correct syntax is:
source=(...the 3 common files...)
source_x86_64=(...the x86_64 specific file...)
source_aarch64=(...the aarch64 specific file...)
sha256sums=(...the checksums for the 3 common files...)
sha256sums_x86_64=(...the checksum for the x86_64 specific file...)
sha256sums_aarch64=(...the checksum for the aarch64 specific file...)
Also, at first sight I don't think the aarch64 build is going to work, since using $arch
is going to always give you the first element of the arch
array = x86_64.
As far as I understand, merely enabling kernel.unprivileged_userns_clone
makes vulnerabilities more exploitable, they don't necessarily have to be vulnerabilities in docker or podman.
@psvoboda @whynothugo While it uses kernel.unprivileged_userns_clone=1, it's far more secure than docker. Podman doesn't use a Client/Server architecture with a root daemon. Also it got developed with rootless mode in mind. Docker-Rootless got added many years later as an still experimental addon.
You could say Docker is the Dinosaur from 2013 where there trying to fix their architecture and Podman the Homo Sapiens Sapiens from 2019.
Here you can read more about it https://www.ti8m.com/blog/Why-Podman-is-worth-a-look-.html
That's correct, podman rootless depends on the samething.
Docker-as-root might be best, with some features (priviledged, etc) disabled. I've been looking into writing a plugin that disabled such features, but it's... hard.
@MartinX3 Podman in rootless mode has the same serious security implications since it relies on kernel.unprivileged_userns_clone=1
as well, doesn't it?
If you're a security aware user, I recommend
to build containers: https://github.com/containers/buildah
to run containers: https://github.com/containers/podman Podman also has podman-compose
Or if you have a network of several servers: https://github.com/kubernetes/kubernetes
Pinned Comments