A PoC was shown of how to do this with buildkit several weeks ago in [0], but in your words - it's also not for the faint of heart (involving patching the Kernel). This is the way of the future - Docker image builds should not need to be privileged (they often are for mounting filesystems)
> A PoC was shown of how to do this with buildkit several weeks ago in [0], but in your words - it's also not for the faint of heart (involving patching the Kernel).
Rootless builds work without kernel patches (the "rawproc" stuff mentioned in issues is not going to be merged into the kernel and there are other ways of fixing the issue -- like mounting an empty /proc into the container). I can do builds right now on my machine with orca-build.
The main reason it's for the faint of heart is that we don't really have nice wrappers around all of these technologies (runc works perfectly fine, as does umoci, as does orca-build, as does proot, as does ...). Jess's project is quite nice because it takes advantage of the cache stuff BuildKit has, though I personally prefer umoci's way of doing storage and unprivileged building (though I am quite biased ofc). I'm going to port orca-build to Go and probably will take some inspiration from "img" as to how to use Docker's internal Dockerfile parsing library.
https://github.com/genuinetools/img [0] Similar: https://github.com/AkihiroSuda/runrootless