If file system level isolation is enough for you, take a loot at schroot (https:...

Imustaskforhelp · 2025-02-21T14:18:02 1740147482

this is crazy , trying this out right now.

But is there a way to also run OCI compatible directly on this as well?

mst · 2025-02-21T14:22:41 1740147761

You could use docker export to sluro the container contents (see article for example)

Imustaskforhelp · 2025-02-21T14:21:26 1740147686

EDIT: it seems that for creating a chroot you still require root.

I don't have root on that system and so I can't create a chroot , there is fakeroot but it doesn't work since it uses qemu on that locked system.

Are there any other alternatives

NekkoDroid · 2025-02-21T23:37:12 1740181032

> it seems that for creating a chroot you still require root.

You actually don't as long as you have user namespaces.

One thing I am working on I use chroot (rather unshare --root=) to minimally sandbox a subprocess. At the beginning of the script I have this little snippet:

    if [ "$(id --user)" -ne 0 ]; then
     exec unshare --map-root-user --mount -- "$0" "$@"
    fi

Though you can probably just do something roughtly as `unshare --map-root-user --root=<PATH>`.

ttyprintk · 2025-02-21T14:38:16 1740148696

Fakeroot is good for the debootstrap step, and then schroot runs unprivileged.

igor47 · 2025-02-21T16:38:47 1740155927

fakeroot has nothing to do with qemu -- it simply uses LD preload to make commands think they're uid 0