-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove "seccomp" build tag #42501
Remove "seccomp" build tag #42501
Conversation
I think the "edge case" here will be a system which supports seccomp, but doesn't have libseccomp, and thus |
As I recall buildkit also needs to drop the build tag. |
This may conflict with #42005 |
Looks like you're lucky; I tried rebasing this locally, and looks like it still applies cleanly 馃槄 |
Thanks to moby/buildkit#2338 and a rebase, I think this is ready for review! 馃 |
Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does. Signed-off-by: Tianon Gravi <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (if green)
Completely forgot about this one! Guess we can make some changes in our packaging as well after this is merged 馃憤
Looks green(ish); some windows failures that are unrelated (gave it another kick) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Opened docker/docker-ce-packaging#693 to remove the obsolete build-tags from our build-scripts |
libseccomp is mandatory since bump to version 23.0.0 in commit 485b47e: moby/moby#42501 Fixes: - https://bugs.buildroot.org/show_bug.cgi?id=15321 Signed-off-by: Fabrice Fontaine <[email protected]> Signed-off-by: Peter Korsgaard <[email protected]>
Since moby/moby#42501 (part of 23.01) seccomp is now required as a build dependency, so drop optional packageconfig settings. Signed-off-by: Ricardo Salveti <[email protected]>
Since moby/moby#42501 (part of 23.01) seccomp is now required as a build dependency, so drop optional packageconfig settings. Signed-off-by: Ricardo Salveti <[email protected]>
Since moby/moby#42501 (part of 23.01) seccomp is now required as a build dependency, so drop optional packageconfig settings. Signed-off-by: Ricardo Salveti <[email protected]>
Since moby/moby#42501 (part of 23.01) seccomp is now required as a build dependency, so drop optional packageconfig settings. Signed-off-by: Ricardo Salveti <[email protected]>
Similar to the (now removed)
apparmor
build tag, this build-time toggle existed for users who needed to build without thelibseccomp
library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does.(As discussed in #42486 (comment) 馃槃)
This does some changes in
vendor/github.com/moby/buildkit
so it's not 100% ready to merge as-is. 馃槄