rugpi icon indicating copy to clipboard operation
rugpi copied to clipboard

Published 20 hours ago verified publisher icon silitics

support for non-privileged builds

Open koehlma opened this issue 8 months ago • 0 comments

Currently, Rugpi Bakery needs to run in a Docker container with elevated privileges (--privileged). With version 0.7, we will no longer require a loop device for building images. Unfortunately, we can still not drop this requirement as we need --bind mounts for the chroot environment in which recipes run. It would be great, if we could reduce the privileges required to run Rugpi Bakery to enable it to run in more contexts (e.g., GitLab CI).

Design Notes

Bubblewrap would be a great basis to enable rootless builds. It is also used by Mkosi. Unfortunately, Bubblewrap still does not run in arbitrary Docker containers (see https://github.com/containers/bubblewrap/issues/505).

Design Proposal

Switch to using Bubblewrap and potentially allow the execution outside of Docker. For Docker, we then still need some elevated privileges but probably can set them on a more fine-grained basis.

koehlma avatar Jun 04 '24 15:06 koehlma