Currently, Rugpi Bakery needs to run in a Docker container with elevated privileges (--privileged). With version 0.7, we will no longer require a loop device for building images. Unfortunately, we can still not drop this requirement as we need --bind mounts for the chroot environment in which recipes run. It would be great, if we could reduce the privileges required to run Rugpi Bakery to enable it to run in more contexts (e.g., GitLab CI).
Switch to using Bubblewrap and potentially allow the execution outside of Docker. For Docker, we then still need some elevated privileges but probably can set them on a more fine-grained basis.
Currently, Rugpi Bakery needs to run in a Docker container with elevated privileges (
--privileged). With version 0.7, we will no longer require a loop device for building images. Unfortunately, we can still not drop this requirement as we need--bindmounts for thechrootenvironment in which recipes run. It would be great, if we could reduce the privileges required to run Rugpi Bakery to enable it to run in more contexts (e.g., GitLab CI).Design Notes
Bubblewrap would be a great basis to enable rootless builds. It is also used by Mkosi. Unfortunately, Bubblewrap still does not run in arbitrary Docker containers (see https://github.com/containers/bubblewrap/issues/505).
Design Proposal
Switch to using Bubblewrap and potentially allow the execution outside of Docker. For Docker, we then still need some elevated privileges but probably can set them on a more fine-grained basis.