← Back to context

Comment by vlowrian

2 days ago

If file system level isolation is enough for you, take a loot at schroot (https://linux.die.net/man/1/schroot) which allows root-less chroot. You can use something like debootstrap to get a complete userland into a user controlled directory and use schroot to chroot into it without root level access.

6 comments

vlowrian

Reply
Imustaskforhelp  2 days ago

this is crazy , trying this out right now.

But is there a way to also run OCI compatible directly on this as well?

  • mst  2 days ago

    You could use docker export to sluro the container contents (see article for example)

Imustaskforhelp  2 days ago

EDIT: it seems that for creating a chroot you still require root.

I don't have root on that system and so I can't create a chroot , there is fakeroot but it doesn't work since it uses qemu on that locked system.

Are there any other alternatives

  • NekkoDroid  2 days ago

    > it seems that for creating a chroot you still require root.

    You actually don't as long as you have user namespaces.

    One thing I am working on I use chroot (rather unshare --root=) to minimally sandbox a subprocess. At the beginning of the script I have this little snippet:

        if [ "$(id --user)" -ne 0 ]; then
     exec unshare --map-root-user --mount -- "$0" "$@"
    fi

    Though you can probably just do something roughtly as `unshare --map-root-user --root=<PATH>`.

  • igor47  2 days ago

    fakeroot has nothing to do with qemu -- it simply uses LD preload to make commands think they're uid 0