Bootstrapping Alpine Linux without root

(blog.brixit.nl)

28 points | by mooreds 3 days ago

3 comments

  • coppsilgold 3 hours ago
    You can rip a rootfs from a docker image using skopeo[1] and undocker[2] then you can puppeteer it with bwrap[3].

    This works for most linux distributions (they behave well as fakeroot puppets). Package managers from Debian-based distros tend to misbehave in bwrap in my experience.

    I use this method to obtain software from various distro repositories or when RPM packages are distributed by vendors.

    [1] <https://github.com/containers/skopeo>

    [2] <https://git.jakstys.lt/motiejus/undocker>

    [3] <https://github.com/containers/bubblewrap>

  • yjftsjthsd-h 4 hours ago
    > Creating a chroot in Linux is pretty easy: put a rootfs in a folder and run the sudo chroot /my/folder command. But what if you don't want to use superuser privileges for this?

    My very first thought is actually proot ( https://proot-me.github.io/ ), though that does have a performance hit.

    That said, once you're using unshare (which is a good idea), why not just use podman? Mostly the same under the hood, but does a bunch of this for you. And for this exact usecase I appreciate that there are tradeoffs but I personally would have built pmbootstrap out of Dockerfiles in the first place.

    • MartijnBraam 2 hours ago
      Using wrappers doesn't really help that much because the difficulties are in the things that aren't covered anyway. Proot doesn't help for these issues, there's a long-standing open issue for that one.

      Using docker would make the mixing and nesting of native and foreign architecture chroots only more difficult

      • yjftsjthsd-h 39 minutes ago
        > Using wrappers doesn't really help that much because the difficulties are in the things that aren't covered anyway. Proot doesn't help for these issues, there's a long-standing open issue for that one.

        Could I ask for more details? I could certainly believe that podman doesn't do something that's needed, but I'm pretty sure it does everything that this particular article spends time setting up out of the box. And I can't find anything about proot; https://gitlab.postmarketos.org/postmarketOS/pmbootstrap/-/i... gives me nothing and a web search only gives me https://gitlab.com/postmarketOS/pmbootstrap/-/issues/2052#no... which is... either they're wrong (because faking mounts is definitely something proot does), they were right but it's changed (I don't know when that was added), or I'm misunderstanding the problem (maybe pmbootstrap dynamically changes mounts?).

        > Using docker would make the mixing and nesting of native and foreign architecture chroots only more difficult

        Would it? I'm not intimately familiar with how postmarketos is doing it now, but I have done qemu-user-static with docker and it's easy to work with; you can either do the whole thing in docker with https://github.com/multiarch/qemu-user-static , or I think you can enable qemu on the host and it automatically works in containers.

        EDIT: Oh hang on, I might have it - doing that with docker needs --privileged so probably doesn't work if you're running without root. I personally would shrug and say that running this one command as root is fine but if we want zero sudoing then yeah that's a problem.

  • Dwedit 5 hours ago
    What about user-mode Linux containers?
    • yjftsjthsd-h 36 minutes ago
      Depending on what "user-mode Linux containers" means:

      User Mode Linux (UML) - You could do that but at that point IMHO you might as well just run in qemu; UML is annoying to work with and performance isn't great.

      Containers (of the sort popularized by docker and kubernetes) without root: As sibling comment says, this is that; from the kernel's view, manually calling unshare yourself looks the same as what podman or rootless docker do.

    • MartijnBraam 2 hours ago
      These are user-mode containers