Container image build flows

Building of container images can be classified into multiple categories (cf. “Zero-consistency root emulation for unprivileged container image build”, Priedhorsky et al. arXiv:2405.06085 [cs.DC].):

• Type III: classical OCI/docker build: root-privileged service needed to perform "container actions" (e.g., docker build .)
• Type II: User namespaced/unprivileged/rootless: requires user namespaces (cf. man 2 unshare, e.g., buildah --isolation=rootless)
• Type I: User (but only "mount") namespaced: only requires mount user namespace… it's a namespaced-chroot thing (buildah --isolation=chroot)
• Type 0: "Pure" Userspace: we use SECCOMP or ptrace() to intercept all syscalls (e.g., chown()), e.g., proot

→ Building userspace software does not require any elevated permissions, i.e. should already work with Type O (this might be not true for some post-software-building aspects of service deployment flows).

⇒ In CI we do not want any type III builds! (security aspects)

(Side remark: In unprivileged gitlab docker runners, only type 0 is possible.)