[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

Arnout Vandecappelle arnout at mind.be
Mon Sep 23 07:49:26 UTC 2019



On 23/09/2019 09:44, Esben Haabendal wrote:
> Peter Korsgaard <peter at korsgaard.com> writes:
> 
>>>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:
>>
>> Hi,
>>
>>  >  Does this also work if the tarball is cross-compiled for a different
>>  > architecture? Probably it does, and it just SIGILLs when you try to run the
>>  > container...
>>
>> Yes. Even easier is just
>>
>> docker import output/images/rootfs.tar <myproject:mytag>
>>
>>  >  Yeah, except unfortunately docker security sucks, so on most distros you need
>>  > sudo to run any docker command, even 'docker build'.
>>
>>  >  So, it would be nice if we could generate the OCI image without docker.
>>
>> I believe you can do similar with E.G. buildah:
>>
>> https://github.com/containers/buildah
>>
>> But you anyway need buildah/docker/.. to then finally do something with
>> the docker image afterwards, so perhaps just documenting the 'docker
>> import' oneliner is enough and not try to do it Buildroot.
> 
> Sorry for the duplicate comment about buildah.
> 
> To do something with an OCI image build with buildah, you should
> consider using podman (https://github.com/containers/libpod), as it also
> can be used without root priveleges, so should be feasible on shared
> servers.

 I may be wrong, but as I understand it, all these tools actually call docker
under the hood. They can be used without root privileges because they are
installed with all the necessary suid bits and caps and stuff. However, AFAIU,
you can't build and install them as non-root and then create an image with it.

 umoci was the only tool I found that seemed to *really* not require root.

 Regards,
 Arnout




More information about the buildroot mailing list