"acbuild run" with dependency fails form inside a container

[ingobecker]

I'm trying to build my aci images form inside a rkt container but using the command run --insecure --engine chroot doesn't work. The commands output shows that the image the build depends on was downloaded but nothing more. Building the image from outside the container works as expected. I also limited the capabilities of the build which i run on the host system to match those used inside a container but that also worked out well, so i guess it's unrelated to capabilities. Any suggestions on what could cause this issue or how to debug it?

[ingobecker]

I figured out, how to fix it. The container i used to run acbuild in needs to have the additional capability CAP_SYS_ADMIN added as well as the systems calls "mount", "umount", "umount2" to the seccomp isolators retain-set. The acbuild begin command then needs to be run from inside a directory into which a volume is mounted which is based on a filesystem supported by overlayfs. That made acbuild extract and mount the aci image dependency correctly and running the command inside the chroot worked as expected.

[cgonyeo]

Glad you were able to make it work, let me know if you run into any more problems

[ingobecker]

The problem that i'm facing now is the lack of /dev, /proc and /sys filesystems. I'm wondering if those are not bindmounted into the chroot intentionally and what the reasons might be.

[cgonyeo]

It's not an intentional thing, the chroot engine just sets less up for the container than the default engine does. Is there a reason that you can't use the default run engine?

[ingobecker]

As i mentioned, i try to run acbuild from inside a rkt container. Running systemd-nspawn nested inside systemd-nspawn seems to cause some issues. At least, when used as the run engine, i get the output "Not running on a systemd system". Don't know what exactly causes the problem. Thats why i tried to use the chroot engine.