buildroot: use bwrap to contain stages
This swaps the `systemd-nspawn` implementation for `bubblewrap` to
contain sub-processes. It also adjusts the `BuildRoot` implementation
to reduce the number of mounts required to keep locally.
This has the following advantages:
* We know exactly how the build-root looks like. Only the bits and
pieces we select will end up in the build-root. We can let RPM
authors know what environment their post-install scripts need to
run in, and we can reliably test this.
* We no longer need any D-Bus access or access to other PID1
facilities. Bubblewrap allows us to execute from any environment,
including containers and sandboxes.
* Bubblewrap setup is significantly faster than nspawn. This is a
minor point though, since nspawn is still fast enough compared to
the operations we perform in the container.
* Bubblewrap does not require root.
At the same time, we have a bunch of downsides which might increase the
workload in the future:
* We now control the build-root, which also means we have to make sure
it works on all our supported architectures, all quirks are
included, and all required resources are accessible from within the
build-root.
The good thing here is that we have lots of previous-art we can
follow, and all the other ones just play whack-a-mole, so we can
join that fun.
The `bubblewrap` project is used by podman and flatpak, it is packaged
for all major distributions, and looks like a stable dependency.
This commit is contained in:
David Rheinsberg
parent
d3a97a90a5
commit
d1b9304a56
3 changed files with 152 additions and 95 deletions
|
|
@ -20,8 +20,8 @@ of the pipeline description, and more.
|
|||
|
||||
The requirements for this project are:
|
||||
|
||||
* `bubblewrap >= 0.4.0`
|
||||
* `python >= 3.7`
|
||||
* `systemd-nspawn >= 244`
|
||||
|
||||
Additionally, the built-in stages require:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue