How to run privileged docker container

Hey,

I’m working on a Github Action that builds Flatpak bundles for each application that has a flatpak manifest. So far, it works but:

  • In order to run flatpak-builder I need to run my docker container with

    –cap-add SYS_ADMIN --cap-add NET_ADMIN --device /dev/fuse

Is there a possible way to do this without having to run the docker container myself?
Because for now I have something like this

on: [push, pull_request]
name: Flatpak
jobs:
  flatpak-builder:
    name: "Flatpak Builder"
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Pull the Docker Image
      run: docker pull bilelmoussaoui/flatpak-github-actions:latest
    - name: Run Docker Image
      run: |
            docker run --cap-add SYS_ADMIN --cap-add NET_ADMIN --device /dev/fuse \
                 --security-opt apparmor:unconfined --security-opt seccomp=unconfined \
                --workdir /github/workspace \
                --rm -e INPUT_ARGS -e HOME -e GITHUB_REF -e GITHUB_SHA \
                -e GITHUB_REPOSITORY -e GITHUB_ACTOR -e GITHUB_WORKFLOW \
                -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME \
                -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS \
                -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE \
                -v "/var/run/docker.sock":"/var/run/docker.sock" \
                -v "/home/runner/work/_temp/_github_home":"/github/home" \
                -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
                -v ${{ github.workspace }}:"/github/workspace" \
                --rm -i bilelmoussaoui/flatpak-github-actions:latest \
                    --manifest-path "org.gnome.zbrown.Palette.yaml" \
                    --app-id "org.gnome.zbrown.Palette" \
                    --bundle "palette-nightly.flatpak"

But what I want is for people to use my Action like this

on: [push, pull_request]
name: Flatpak
jobs:
  flatpak-builder:
    name: "Flatpak Builder"
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - uses: bilelmoussaoui/flatpak-github-actions@wip
      with:
        bundle: "palette.flatpak"
        manifest: "org.gnome.zbrown.Palette.yml"
        app-id: "org.gnome.zbrown.Palette"
        runtime-repo: "https://flathub.org/repo/flathub.flatpakrepo"

Here’s my action.yml file

name: 'Flatpak Builder'
description: 'Flatpak Applications Builder'
author: 'Bilal Elmoussaoui'
branding:
  icon: 'package'
  color: 'blue'
inputs:
  manifest:
    description: "The relative path the manifest file in this repository."
    required: true
  app-id:
    description: "The application ID"
    required: true
  bundle:
    description: "The bundle name, by default it's app.flatpak"
    default: "app.flatpak"
  runtime-repo:
    description: "The repository used to fetch the runtime when the user download the Flatpak bundle."
    default: "https://flathub.org/repo/flathub.flatpakrepo"
runs:
  using: 'docker'
  image: 'docker://bilelmoussaoui/flatpak-github-actions:latest'

Thanks!

1 Like

No, there’s no way to specify this.  The only workaround that I could see is to create a JavaScript based action that does this invocation.  That would simplify setup for the end-user.

1 Like

Hi,

Got similar problem here. My use case is to build cloud images with packer. I have checked nova_libvirt on my devstack so i know that Privileged mode is what i need.

Is it possible to do it in more convenient way than writing JS module?

Regards,
Bart