Usage without `privileged` flag

[janbaudisch]

I really like the idea of this tool in combination with apko. However, I tried using it in a GitLab CI environment with only a Docker executor and without the ability use privileged containers. Therefore, when running the first pipeline step, bubblewrap will fail:

bwrap: Creating new namespace failed: Operation not permitted

I know that this is currently expected. I just wanted to ask whether there is any way to work around this or if there are plans to add an unprivileged mode to melange?

[kaniini]

Melange needs the ability to create a new container, either via bubblewrap or via Docker. If you arrange for the /var/lib/docker.sock to be present, it should be able to use that instead.

[adam-moss]

We use docker-in-docker in GitLab CI for this purpose.

[jzeminski]

Is a solution using kaniko possible? I'm running in a secure environment that doesn't seem to allow privileged runners and keep getting the above mentioned bubblewrap error.

[dwalrond]

Having the ability to run unprivileged means I can use this tool within my CI/CD pipeline. It also appears #1243 the option --runner kubernetes gives error ERRO unknown runner: kubernetes.

I cannot justify a custom runner to workaround this. Will have to look at alternative tools like kaniko and not use chainguard at this time.