patch spindle to give more caps to the container

zenfyrdev · zenfyrdev · commit c7b16ed45249 · 2025-10-16T15:17:22.000+07:00
diff --git a/spindle/Dockerfile b/spindle/Dockerfile
@@ -2,9 +2,11 @@ FROM golang:1.24-alpine as builder
 ENV CGO_ENABLED=1
 
 WORKDIR /app
-RUN apk add gcc musl-dev
+RUN apk add gcc musl-dev patch
 COPY ./core .
-RUN go build -o /usr/bin/spindle -ldflags '-s -w -extldflags "-static"' ./cmd/spindle
+COPY ./docker.patch ./
+RUN patch -p1 < docker.patch && \
+    go build -o /usr/bin/spindle -ldflags '-s -w -extldflags "-static"' ./cmd/spindle
 
 FROM alpine:edge
 EXPOSE 6555
diff --git a/spindle/docker.patch b/spindle/docker.patch
@@ -0,0 +1,13 @@
+diff --git a/spindle/engines/nixery/engine.go b/spindle/engines/nixery/engine.go
+index 8fc8d785..668b4445 100644
+--- a/spindle/engines/nixery/engine.go
++++ b/spindle/engines/nixery/engine.go
+@@ -222,7 +222,7 @@ func (e *Engine) SetupWorkflow(ctx context.Context, wid models.WorkflowId, wf *m
+ 		},
+ 		ReadonlyRootfs: false,
+ 		CapDrop:        []string{"ALL"},
+-		CapAdd:         []string{"CAP_DAC_OVERRIDE"},
++		CapAdd:         []string{"CAP_DAC_OVERRIDE", "CAP_CHOWN", "CAP_FOWNER", "CAP_SETUID", "CAP_SETGID"},
+ 		SecurityOpt:    []string{"no-new-privileges"},
+ 		ExtraHosts:     []string{"host.docker.internal:host-gateway"},
+ 	}, nil, nil, "")
