One of the primary goals of user namespaces was to provide the ability for unprivileged users to have their own range of uids over which they would have privilege, with minimal need for setuid programs and no risk (barring bugs in the OS) of their privilege having effect on uids which are not “their own”.
We’ve had user namespaces for awhile now. While there are some actions which cannot be done in a user namespace, such as mounting a loopback filesystem, there are many things, such as setting up a build environment with custom package installs, which used to be a challenge without privilege but are now simple.
My friend Tycho wrote stacker stacker as a tool for building OCI images. A few of its features include:
- Creates OCI images.
- Can also be used for general software building.
- Supports layer re-use between build stages to minimize redundant I/O and time.
- Supports unprivileged use!
To show how to use stacker for unprivileged builds, I created a little demo readme. You can see it in the README.md at my stacker-demo github repo.