Hi Helmut (2024.06.25_16:55:45_+0000) > lxd/incus also was on my list, Personally, I have been using LXD (and now Incus, as it made it into Debian, yay) for my experimentation and local package builds, for a number of years now. They have native support for btrfs snapshots, locally built images, and make it relatively simple to block network access for my builds. The autopkgtest-virt backed is a bit klunky, but I don't miss schroot at all.
> but my understanding is that they do not work without their system > services at all Correct. LXC containers are essentially VMs without their own kernel. They run their own systemd. This does mean that I build packages in a fatter system than necessary. But that has yet to be an issue for me. > and being able to operate containers (i.e. being incus-admin or the > like) roughly becomes equivalent to being full root on the system > defeating the purpose of the exercise. You don't have to be incus-admin to use Incus. Users get their own incus project (see the incus-user.service). But I've never played with this much, on a single-user system, incus-admin is just much simpler (if less secure). Of course incus still has to be root itself to add network interfaces to bridges. It's nice to be able to control networking for the containers, but it would be even nicer for sbuild to not need setup that requires root. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
