An option to provide image with sandboxing?

[Niols]

Hi there,

How hard would it be to provide an option to not disable sandboxing? I was trying to use these images to check that some packages install fine in OPAM, and my CI was happy although the package in question was downloading from internet during its installation.

I don't mean to make it the default, or even to publish images with sandboxing on, but if it happened to be easy to provide, then that would allow me to build my own images without having to redo all the work that has been done in here.

Best, -- Nicolas

[MisterDA]

I suggest you use the images as-is. Then, there's the script that you can use inside the image, opam-sandbox-enable. Run the script, which will just setup ~/.opamrc, then run opam init --reinit.

[Niols]

I was trying to go this route but was facing some issues with bwrap not being able to work properly (which is maybe why it was disabled in the first place actually?). I am getting errors of the sort:

bwrap: No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.

I will investigate further; thank you!

[MisterDA]

Exactly! bubblewrap isn't useful in a container, sandboxing doesn't make much sense in a container either. Our use-case is that with OBuilder, we extract the Docker images to the host filesystem, and we use runc and bubblewrap to provide containerization and sandboxing in a custom way.

[talex5]

It will probably work with docker run --privileged (but you have to trust the container then).

[Niols]

Trusting the container is not a problem because the goal was only to run it in GitHub Actions. However, I have played with it for a while, and it turns out it is actually very hard to get bubblewrap running properly inside Docker. I will give up on the Docker route; I was abusing it a little anyways.

I think we can conclude that it would indeed be hard to provide such an option and that it is therefore way out of the scope of this project.

Thank you very much for your help! :-)