Bug#976073: sbuild: support "podman" as chroot mode and provide a sbuild-create-oci command (built on top of buildah)

Sun, 29 Nov 2020 03:36:15 -0800 

Hi,

Quoting Raphaël Hertzog (2020-11-29 11:42:16)
> I know that multiple developers started using podman and buildah to manage
> containers where they build their Debian packages. With user namespace
> supports, this allows rootless building (like the "unshare" chroot
> mode)... you don't even need root to setup the "build chroot" since those
> are containers that you can download (or rebuild if you prefer).

already today you don't need to be root to setup the build chroot, by using
mmdebstrap as a debootstrap drop-in-replacement in sbuild-createchroot like so:

    $ sbuild-createchroot --debootstrap=mmdebstrap --make-sbuild-tarball 
~/.cache/sbuild/unstable-amd64.tar.gz unstable $(mktemp -d)

The resulting tarball can then be used with the sbuild unshare backend. The
only time you need be root is to execute

    $ sudo sysctl -w kernel.unprivileged_userns_clone=1

But I guess you also need this for podman and buildah?

> Thus it would be nice if sbuild had a "podman" chroot mode where it could
> use podman containers to build the packages.
> 
> A "sbuild-create-oci" command would also be helpful to build the various
> container images, either from scratch (so that you don't have to trust
> images that you download) or on top of pre-existing OCI images (to
> save time and effort). That command should not be hard to build on top
> of buildah.
> 
> Some links:
> http://tauware.blogspot.com/2020/04/building-packages-with-buildah-in-debian.html
> https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/

I'm absolutely for it! If somebody wants to implement and maintain it, please
send patches for me to review. The person can then keep maintaining the podman
chroot mode easily because sbuild is in the Debian group on salsa.

What I would like even more, would be to add a podman backend to autopkgtest.
This has the following advantages:

 - it would already work with sbuild today (no changes in sbuild required)
 - no duplicated work to have podman support in both sbuild and autopkgtest

Thanks!

cheers, josch

Attachment: signature.asc
Description: signature

Reply via email to