summaryrefslogtreecommitdiffstats
path: root/docker/README
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--docker/README45
1 files changed, 45 insertions, 0 deletions
diff --git a/docker/README b/docker/README
new file mode 100644
index 0000000..679446b
--- /dev/null
+++ b/docker/README
@@ -0,0 +1,45 @@
+Container images are stored in https://hub.docker.com/repositories as
+user sudoproject. Build images are named based on the distro and use
+the tag to differentiate between different versions and architectures.
+There should always be a "latest" tag (or manifest).
+
+When creating a new Dockerfile, use one of the Debian or Fedora files
+as a template. The examples below use podman rather than docker but it
+should be possible to them interchangeably.
+
+To build Debian containers for both amd64 and i386 (others only have amd64):
+
+ podman build --arch amd64 --pull -t sudoproject/debian:latest.amd64 \
+ docker/debian/latest
+ podman build --arch 386 --pull -t sudoproject/debian:latest.i386 \
+ docker/debian/latest
+
+Then push it to dockerhub (may need to run "podman login" first):
+ podman push sudoproject/debian:latest.amd64
+ podman push sudoproject/debian:latest.i386
+
+Multi-arch containers are supported by creating a manifest, e.g.:
+ podman manifest create sudoproject/debian:latest
+ podman manifest add sudoproject/debian:latest \
+ sudoproject/debian:latest.amd64
+ podman manifest add sudoproject/debian:latest \
+ sudoproject/debian:latest.i386
+
+Finally push the manifest to dockerhub:
+ podman push sudoproject/debian:latest
+
+When building bleeding edge images it is possible that the seccomp
+filter will be out of date with respect to system calls. It may
+be necessary to pass podman the --security-opt=seccomp=unconfined
+option in this case.
+
+Note that memory sanitizer uses ptrace which is not allowed for
+non-root containers by default. This will cause a failure when
+running the tests if sudo is configured with --enable-sanitizer.
+The simplest solution is to run the container with the SYS_PTRACE
+capability. E.g.
+ podman run -it --cap-add SYS_PTRACE ...
+
+Alternately, disable leak sanitizer by setting
+ ASAN_OPTIONS=detect_leaks=0
+in the environment of the container doing "make check".