Hey there,
The LXD team develops an image building tool called distrobuilder
which we use to produce all our images:
It’s a pretty straightforward Go application that we very easily managed to snap.
I however don’t think we can have it be strictly confined as it needs to:
- Download artifacts for just about any Linux distribution (not an issue)
- Extract those artifacts
- tarballs (not an issue)
- squashfs (not an issue)
- iso images (needs loop devices and mounting of filesystems)
- squashfs in iso (similar to iso but extra mounts)
- docker images (problematic)
- Setup a minimal container using pidns and mntns (problematic)
- Use chroot/pivot_root (problematic)
- Run arbitrary commands inside that chroot (package installations, customization scripts, …) (problematic)
- Create arbitrary devices nodes (char & block) (problematic)
- Compress the resulting tree (not an issue)
Our long term goal for security is to be able to operate distrobuilder inside an unprivileged LXD container, though even there we still have quite a few issues, especially around mounting iso, squashfs, ext4 filesystems. We can do some of that through FUSE, but once we’re dealing with code coming from the distro we’re building, it gets harder to go and alter their code to use FUSE rather than a straight mount.