BuildKit 0.7.x supports building without root privileges
Based on rootlesskit
Uses host networking by default or slirp4netns for isolation
Docker rootless was experimental since Docker 19.03
Docker rootless is GA since Docker 20.10 (December 8th 2020)
Daemon requires more access to paths (AppArmor)
as well as syscalls (seccomp):
docker run \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined
Share process namespace with worker containers:
buildkitd --oci-worker-no-process-sandbox
–
Capabilities control access to system calls
All capabilities are considered privileged
Filter entire system calls
Restrict arguments to system calls
Default profile applied by Docker
Access control for objects
Applies to files and paths
Default profile applied by Docker