Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support for non-privileged builds #26

Open
koehlma opened this issue Jun 4, 2024 · 0 comments
Open

support for non-privileged builds #26

koehlma opened this issue Jun 4, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@koehlma
Copy link
Member

koehlma commented Jun 4, 2024

Currently, Rugpi Bakery needs to run in a Docker container with elevated privileges (--privileged). With version 0.7, we will no longer require a loop device for building images. Unfortunately, we can still not drop this requirement as we need --bind mounts for the chroot environment in which recipes run. It would be great, if we could reduce the privileges required to run Rugpi Bakery to enable it to run in more contexts (e.g., GitLab CI).

Design Notes

Bubblewrap would be a great basis to enable rootless builds. It is also used by Mkosi. Unfortunately, Bubblewrap still does not run in arbitrary Docker containers (see containers/bubblewrap#505).

Design Proposal

Switch to using Bubblewrap and potentially allow the execution outside of Docker. For Docker, we then still need some elevated privileges but probably can set them on a more fine-grained basis.

@koehlma koehlma changed the title non-privileged builds support for non-privileged builds Jun 4, 2024
@koehlma koehlma added enhancement New feature or request labels Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant