From acdbb5bfbe66ea044ac8f2bc384b1ffc43394230 Mon Sep 17 00:00:00 2001 From: Zhengchen Tao Date: Sat, 2 May 2026 15:27:39 +0800 Subject: [PATCH] =?UTF-8?q?=E9=92=89=20buildkit=20=E5=88=B0=20v0.13.2=20?= =?UTF-8?q?=E4=BB=A5=E5=85=BC=E5=AE=B9=20DSM=20=E8=80=81=E5=86=85=E6=A0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit runc 1.2.0 (2024-09) 引入 procfs 安全检查(CVE-2024-21626), 依赖 openat2 (kernel 5.6+) 与 fsmount/fscontext (kernel 5.2+)。 DSM 7 系列内核仍是 4.4.x,syscall 不存在,runc 启动 build container 时 报 "unsafe procfs detected" 直接失败。 钉 buildkit v0.13.2 自带 runc 1.1.12,绕开新检查。 Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/build-image.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitea/workflows/build-image.yml b/.gitea/workflows/build-image.yml index 9936840a..b492ae48 100644 --- a/.gitea/workflows/build-image.yml +++ b/.gitea/workflows/build-image.yml @@ -24,6 +24,11 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + with: + # 钉到 v0.13.2(自带 runc 1.1.x),避免 runc 1.2+ 的 procfs 安全检查 + # 在 DSM 老内核(4.4.x)上撞 openat2/fsmount 不存在导致 build 失败 + driver-opts: | + image=moby/buildkit:v0.13.2 - name: Login to Gitea Container Registry uses: docker/login-action@v3