You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, Rugpi Bakery needs to run in a Docker container with elevated privileges (--privileged). With version 0.7, we will no longer require a loop device for building images. Unfortunately, we can still not drop this requirement as we need --bind mounts for the chroot environment in which recipes run. It would be great, if we could reduce the privileges required to run Rugpi Bakery to enable it to run in more contexts (e.g., GitLab CI).
Design Notes
Bubblewrap would be a great basis to enable rootless builds. It is also used by Mkosi. Unfortunately, Bubblewrap still does not run in arbitrary Docker containers (see containers/bubblewrap#505).
Design Proposal
Switch to using Bubblewrap and potentially allow the execution outside of Docker. For Docker, we then still need some elevated privileges but probably can set them on a more fine-grained basis.
The text was updated successfully, but these errors were encountered:
koehlma
changed the title
non-privileged builds
support for non-privileged builds
Jun 4, 2024
Currently, Rugpi Bakery needs to run in a Docker container with elevated privileges (
--privileged
). With version 0.7, we will no longer require a loop device for building images. Unfortunately, we can still not drop this requirement as we need--bind
mounts for thechroot
environment in which recipes run. It would be great, if we could reduce the privileges required to run Rugpi Bakery to enable it to run in more contexts (e.g., GitLab CI).Design Notes
Bubblewrap would be a great basis to enable rootless builds. It is also used by Mkosi. Unfortunately, Bubblewrap still does not run in arbitrary Docker containers (see containers/bubblewrap#505).
Design Proposal
Switch to using Bubblewrap and potentially allow the execution outside of Docker. For Docker, we then still need some elevated privileges but probably can set them on a more fine-grained basis.
The text was updated successfully, but these errors were encountered: