top | item 43126520

(no title)

vlowrian | 1 year ago

If file system level isolation is enough for you, take a loot at schroot (https://linux.die.net/man/1/schroot) which allows root-less chroot. You can use something like debootstrap to get a complete userland into a user controlled directory and use schroot to chroot into it without root level access.

discuss

Imustaskforhelp|1 year ago

this is crazy , trying this out right now.

But is there a way to also run OCI compatible directly on this as well?

mst|1 year ago

You could use docker export to sluro the container contents (see article for example)

Imustaskforhelp|1 year ago

EDIT: it seems that for creating a chroot you still require root.

I don't have root on that system and so I can't create a chroot , there is fakeroot but it doesn't work since it uses qemu on that locked system.

Are there any other alternatives

NekkoDroid|1 year ago

> it seems that for creating a chroot you still require root.

You actually don't as long as you have user namespaces.

One thing I am working on I use chroot (rather unshare --root=) to minimally sandbox a subprocess. At the beginning of the script I have this little snippet:

    if [ "$(id --user)" -ne 0 ]; then
     exec unshare --map-root-user --mount -- "$0" "$@"
    fi

Though you can probably just do something roughtly as `unshare --map-root-user --root=<PATH>`.

ttyprintk|1 year ago

Fakeroot is good for the debootstrap step, and then schroot runs unprivileged.

igor47|1 year ago

fakeroot has nothing to do with qemu -- it simply uses LD preload to make commands think they're uid 0