Add support for ambient capabilities

Allow setting ambient capabilities, as a seperate option to the standard ones. If you are running as a non root user you should use these. Note that unless you add `CAP_DAC_OVERRIDE` and similar permissions you need to be careful about file ownership. Added support to set ownership in the `files` section to help out with this. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2026-04-04 10:26:22 +00:00 · 2017-06-30 13:44:49 +01:00
parent 70c5c2e1a0
commit 66b4aed239
3 changed files with 66 additions and 48 deletions
--- a/src/moby/build.go
+++ b/src/moby/build.go
@@ -414,6 +414,8 @@ func filesystem(m Moby, tw *tar.Writer) error {
 					Name:     root,
 					Typeflag: tar.TypeDir,
 					Mode:     dirMode,
+					Uid:      int(f.UID),
+					Gid:      int(f.GID),
 				}
 				err := tw.WriteHeader(hdr)
 				if err != nil {
@@ -423,36 +425,30 @@ func filesystem(m Moby, tw *tar.Writer) error {
 			}
 		}
 		addedFiles[f.Path] = true
+		hdr := &tar.Header{
+			Name: f.Path,
+			Mode: mode,
+			Uid:  int(f.UID),
+			Gid:  int(f.GID),
+		}
 		if f.Directory {
 			if f.Contents != nil {
 				return errors.New("Directory with contents not allowed")
 			}
-			hdr := &tar.Header{
-				Name:     f.Path,
-				Typeflag: tar.TypeDir,
-				Mode:     mode,
-			}
+			hdr.Typeflag = tar.TypeDir
 			err := tw.WriteHeader(hdr)
 			if err != nil {
 				return err
 			}
 		} else if f.Symlink != "" {
-			hdr := &tar.Header{
-				Name:     f.Path,
-				Typeflag: tar.TypeSymlink,
-				Mode:     mode,
-				Linkname: f.Symlink,
-			}
+			hdr.Typeflag = tar.TypeSymlink
+			hdr.Linkname = f.Symlink
 			err := tw.WriteHeader(hdr)
 			if err != nil {
 				return err
 			}
 		} else {
-			hdr := &tar.Header{
-				Name: f.Path,
-				Mode: mode,
-				Size: int64(len(contents)),
-			}
+			hdr.Size = int64(len(contents))
 			err := tw.WriteHeader(hdr)
 			if err != nil {
 				return err