Make bindfs mapping bidirectional, remove host USER name from env @Nuru (#901)
REMINDER
This PR fixes an issue with using bindfs to work around file ownership issues caused by running the Docker daemon as root (#594). This support is provided as a courtesy, but the better solution is to run Docker in "rootless" mode, which is done automatically when you use Docker Desktop. Support for running Docker as root should be considered deprecated.
what
- Use bi-directional UID and GUID mapping in
bindfsmount of host filesystem - Remove host username (
$USER) from Geodesic environment
why
- To guard against CVE-2022-24765,
gitchecks the ownership of all directories it looks at for configuration, and complains if it finds a directory with a different owner. - The host's username was injected to support
ansible8 years ago (#65). It was never working properly on Debian due to the different structure of theaddusercommand on Debian vs Alpine, and should not be necessary now. If it turns out to be needed for some reason, we should develop a more robust solution.
references
- Git vulnerability to configuration injection
- Supersedes and closes #900
📚️ Documentation
Update Demo GIF with VHS @osterman (#898)
what
- Updated demo with automation
- See
why
- Video was hopelessly out of date, with this change we can keep it regularly updated with each PR.