Understanding rootless and containerized builds
Understanding rootless and containerized builds¶
Automotive Image Builder can run builds inside a container rather than directly on the host. Containerized builds isolate the build environment from the host filesystem and allow users without root access to produce bootc images and disk images.
About rootless containerized builds with --user-container¶
The AIB --user-container option runs the entire build inside a rootless
Podman container. The build process does not require root privileges on
the host, making rootless builds suitable for shared development systems,
CI/CD pipelines, and environments where granting root access is not
practical.
When you use --user-container, keep in mind the following key points:
- By default, AIB launches a rootless Podman container using the
quay.io/centos-sig-automotive/automotive-image-builderimage. Use--container-imageto specify a different image. - The build runs inside the container with limited access to the host filesystem.
- For disk image operations (
aib to-disk-imageor the combinedaib buildwith a disk output), AIB automatically enables the--vmoption. The virtual machine handles partition table and filesystem creation that would otherwise require root-level block device access. - Container images produced by the build are stored in the default
per-user container store (
~/.local/share/containers/storage/). Use--container-storageto direct build artifacts to a separate location so they do not affect your regular per-user store. The AIB runner container itself always uses the standard per-user store.
About rootful containerized builds with --container¶
The --container option runs the build inside a rootful container. The
build process uses the same AIB container image as --user-container
but runs with full root privileges inside the container. Rootful
containerized builds support disk image creation without --vm.
However, using --vm is recommended for all builds because it uses the
kernel from the image being built, which produces more reliable results.
Omit --vm only if VM support (KVM) is not available on the build host.
Use --container instead of --user-container under the following
conditions:
- The build host has Podman configured for rootful operation.
- The build environment permits running containers with elevated privileges.
Add --container-autoupdate to automatically pull a newer version of
the AIB container image before each build.
Understanding custom container storage¶
By default, containerized builds read and write container images in the
default storage location. The --container-storage option directs AIB to
use a separate directory for the images it produces and consumes during
the build, thereby keeping build artifacts separate from the default storage location:
$ aib build --user-container \
--container-storage /var/tmp/aib-storage \
--target qemu \
manifest.aib.yml \
my-image
The AIB runner container (for example,
quay.io/centos-sig-automotive/automotive-image-builder) always uses
the standard per-user store regardless of the --container-storage
value.
Consider using custom container storage for the following use cases:
- To keep build artifacts separate from container images you use for other purposes.
- When using CI/CD pipelines that split build and disk image steps into separate jobs and need a shared directory.
- When managing disk space by directing storage to a volume with sufficient capacity.
Privilege requirements for rootful versus rootless builds¶
All AIB build commands require root when run natively but support rootless
operation with --user-container. The list-distro and list-targets
commands require no privileges.
Next steps¶
- For step-by-step instructions, see Running rootless and containerized builds.
- For the complete list of container options, run
aib build --help.