You are not logged in.

#1 2020-08-13 14:15:37

kyak
Member
Registered: 2012-01-20
Posts: 31

Building archiso in unprivileged Docker container

Hello guys,

It is required to be root to successfully build archiso (this is mentioned several times in Archiso Wiki: https://wiki.archlinux.org/index.php/Archiso).

I've had success building archiso in a virtual machine (being a root there). However, virtual machine is not suitable for my use case.

I tried using Docker for that, but it requires privileged container (even though it is already being ran as root inside the container).

I get this error:

==> Creating install root at work/x86_64/airootfs
mount: /github/workspace/archiso/releng/work/x86_64/airootfs/proc: permission denied.
==> ERROR: failed to setup chroot work/x86_64/airootfs

As you can see, I'm playing around with Github runners, where I've set up an Arch Linux based Docker.

I've seen someone had success doing this, but they are running docker with the --privileged flag: https://github.com/nlhomme/archiso-builder

Does anyone have a clue about that?

Last edited by kyak (2020-08-13 14:16:18)

Offline

#2 2023-01-31 20:24:06

gh4st
Member
Registered: 2023-01-31
Posts: 3

Re: Building archiso in unprivileged Docker container

Yeah, I had the same issue today while trying to build a custom archiso config as an automated task on a k8s cluster. Clearly, a container is not my best bet.

Offline

#3 2023-01-31 21:44:31

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 646

Re: Building archiso in unprivileged Docker container

https://gitlab.archlinux.org/archlinux/ … /issues/40 lists the places where mkarchiso currently needs root.

Biggest issue is that pacstrap, by default, requires running as root.
While it has a new unshare mode (option -N), we need to preserve the UIDs and GIDs inside the root file system image, so the whole thing (mkarchiso) would need to run in unshare.

Also from what I've seen, `pacstrap -K -N /tmp/test base linux` will fail at various steps where some pacman hook or install scripts tries to access /dev, e.g. a file descriptor /dev/fd/* or /dev/stdin.

All of this is probably solvable in one way or another, but just lacks someone willing to put in the effort to sort it all out.

Offline

#4 2023-10-09 09:44:11

dcy3rka
Member
Registered: 2022-01-19
Posts: 52

Re: Building archiso in unprivileged Docker container

Any news on this? I'm very interested in running mkarchiso in an unprivileged container

Offline

Board footer

Powered by FluxBB