diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index dc902f57b0..4d69e89d94 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -181,32 +181,38 @@ docker_extra_args() { local args="" + # Required to mount inside a container + args+=" --cap-add SYS_ADMIN" + # Requred to chroot + args+=" --cap-add SYS_CHROOT" + # debootstrap needs to create device nodes to properly function + args+=" --cap-add MKNOD" + case "$1" in - gentoo) - # Requred to chroot - args+=" --cap-add SYS_CHROOT" - # debootstrap needs to create device nodes to properly function - args+=" --cap-add MKNOD" - # Required to mount inside a container - args+=" --cap-add SYS_ADMIN" + gentoo) # Required to build glibc args+=" --cap-add SYS_PTRACE" # mount portage volume args+=" -v ${gentoo_local_portage_dir}:/usr/portage/packages" args+=" --volumes-from ${gentoo_portage_container}" ;; - ubuntu | debian) - # Requred to chroot - args+=" --cap-add SYS_CHROOT" - # debootstrap needs to create device nodes to properly function - args+=" --cap-add MKNOD" - ;& - suse) - # Required to mount inside a container - args+=" --cap-add SYS_ADMIN" - # When AppArmor is enabled, mounting inside a container is blocked with docker-default profile. - # See https://github.com/moby/moby/issues/16429 - args+=" --security-opt apparmor=unconfined" + debian | ubuntu | suse) + source /etc/os-release + + case "$ID" in + fedora | centos | rhel) + # Depending on the podman version, we'll face issues when passing + # `--security-opt apparmor=unconfined` on a system where not apparmor is not installed. + # Because of this, let's just avoid adding this option when the host OS comes from Red Hat. + + # A explict check for podman, at least for now, can be avoided. + ;; + *) + # When AppArmor is enabled, mounting inside a container is blocked with docker-default profile. + # See https://github.com/moby/moby/issues/16429 + args+=" --security-opt apparmor=unconfined" + ;; + esac ;; *) ;;