> I suspect what you are actually asking to implement an OCI runtime with TinyKVM
Yes, that's what I meant! :) Apologies for the confusion!
On a related note, since you know the author ;), what capabilities[0] do I need to run TinyKVM?
The reason I'm asking is that I'm interested in nesting containers. E.g., I have a CI pipeline whose jobs run in containers and these jobs are in turn supposed to build container images. Today, this is very difficult to do securely (i.e. using rootless containers and no privileges, possibly with AppArmor & seccomp enabled) because the average OCI runtime requires capabilities that the parent OCI runtime doesn't grant by default (or that AppArmor disables by default).
Now, I only know very little about virtualization but I have been curious whether a virtualization-based sandbox might provide a way out here since IIUC the capabilities of the guest process running inside the sandbox/VM get emulated to some agree and don't necessarily need to be backed by capabilities available to the VM process on the host.
Could you specify this a bit? @codethief
The way it's phrased makes it sound like you want to stuff TinyKVM into a container, but I suspect what you are actually asking to implement an OCI runtime with TinyKVM https://github.com/opencontainers/runtime-spec/blob/main/spe...
Does that make more sense?