Building container images without user namespaces

Note: If you're looking for instructions on building regular docker containers, you're in the wrong place. These instructions are for udocker, not actual Docker or rootless docker.

udocker is a tool that lets you run simple Docker containers in userspace without requiring root privileges or user namespaces. However, it doesn't support building Dockerfiles, which makes bringing in new container images difficult. I managed to replicate that functionality using kaniko and skopeo.

Note that this method is quite hacky and has some issues:

• Kaniko isn't really meant to run in an environment that's not a real container.
• Multi-stage builds sometimes crash with a Kaniko error.
• The image name always has docker.io/ prepended to it by skopeo. While it's correct, it is somewhat annoying.

1. Build the image

Set the image name in an environment variable that can be reused later:

IMAGE_NAME=mattx/my-alpine

Create a directory and copy your build context and Dockerfile into it. For example:

mkdir build
cd build
cat > Dockerfile <<EOF
FROM alpine
RUN apk add --no-cache curl
EOF

Run the build:

udocker run --rm -v $(pwd):/workspace  \
gcr.io/kaniko-project/executor:latest  \
--dockerfile /workspace/Dockerfile     \
--tar-path /workspace/intermediate.tar \
--no-push \
--destination $IMAGE_NAME

2. Convert the image

Kaniko outputs OCI images that won't work in udocker. To get around this, convert the image using skopeo:

udocker run --rm -v $(pwd):/workspace quay.io/skopeo/stable:latest \
copy -f v2s2 docker-archive:/workspace/intermediate.tar \
docker-archive:/workspace/output.tar:$IMAGE_NAME

3. Load the image

Should you want it, you can remove intermediate.tar as it is no longer needed. To load the image, run:

udocker load -i output.tar

4. Run the image

You can now try running the image with udocker:

udocker run --rm docker.io/$IMAGE_NAME

You might need to use docker.io/library/$IMAGE_NAME if you didn't use an username in IMAGE_NAME.