Unprivileged container builds using stacker

One of the primary goals of user namespaces was to provide the ability for unprivileged users to have their own range of uids over which they would have privilege, with minimal need for setuid programs and no risk (barring bugs in the OS) of their privilege having effect on uids which are not “their own”.

We’ve had user namespaces for awhile now. While there are some actions which cannot be done in a user namespace, such as mounting a loopback filesystem, there are many things, such as setting up a build environment with custom package installs, which used to be a challenge without privilege but are now simple.

My friend Tycho wrote stacker stacker as a tool for building OCI images. A few of its features include:

  • Creates OCI images.
  • Can also be used for general software building.
  • Supports layer re-use between build stages to minimize redundant I/O and time.
  • Supports unprivileged use!

To show how to use stacker for unprivileged builds, I created a little demo readme. You can see it in the README.md at my stacker-demo github repo.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s