Bug 23631: Use rootless containers

90c077db · boklm · 2c9dce8d · 90c077db · 90c077db · 2c9dce8d
Unverified Commit 90c077db authored 4 years ago by boklm
--- a/README
+++ b/README
@@ -4,12 +4,10 @@ Tor Browser Build
 Installing build dependencies
 -----------------------------

-To build Tor Browser, you need a Linux distribution that has support
-for runc (such as Debian Buster, Ubuntu 16.04, Fedora 30, etc ...).
-
-Your user account should have sudo access, which is required to be able
-to extract container file systems, start containers and copy files to and
-from containers.
+To build Tor Browser, you need a recent Linux distribution with support
+for user_namespaces(7) (such as Debian Buster, Ubuntu 16.04, Fedora 30,
+etc ...). You will need to install the uidmap package, providing the
+newuidmap and newgidmap commands.

 The sources of most components are downloaded using git, which needs to
 be installed.
@@ -40,12 +38,20 @@ If you are running Debian or Ubuntu, you can install them with:
                  libio-captureoutput-perl libjson-perl libpath-tiny-perl \
                  libstring-shellquote-perl libsort-versions-perl \
                  libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
-                  libfile-copy-recursive-perl libfile-slurp-perl git runc
+                  libfile-copy-recursive-perl libfile-slurp-perl git \
+                  uidmap

 The build system is based on rbm, which is included as a git submodule
 in the rbm/ directory. You can fetch the rbm git submodule by running
 'make submodule-update'.

+The build uses user_namespaces(7), which are disabled by default on Debian.
+To enable them you can use the following command as root:
+
+  # sysctl -w kernel.unprivileged_userns_clone=1
+
+You can enable them permanently by adding the setting to /etc/sysctl.d/
+

 Starting a build
 ----------------

--- a/README.HACKING
+++ b/README.HACKING
@@ -305,6 +305,29 @@ The path to the container should be printed on the screen in case you
 want to backup its rootfs to be able to look at it later.


+Manually removing old containers
+--------------------------------
+
+When a build finishes or when you exit a debugging shell, the old
+container should automatically be removed. In some cases however, for
+example your computer is rebooted in the middle of a build, some old
+container directories may be left in the tmp directory. Some of the
+files in the container directories are owned by subordinate user ids
+(see the subuid man page), which will prevent you from removing them
+with your normal user id. To remove them you can open a container
+shell (a new User namespace) using the following command:
+
+   $ ./rbm/container run -- /bin/bash
+
+From this shell you should be able to remove the old containers
+directories in the tmp directory.
+
+It is also possible to pass the rm command directly without opening a
+shell:
+
+   $ ./rbm/container run -- rm -Rf ./tmp/rbm-*
+
+
 Testing an rbm patch
 --------------------


--- a/projects/common/runc-config.json
+++ b/projects/common/runc-config.json
-{
-	"ociVersion": "1.0.0[% IF !c("var_p/runc_spec100") %]-rc1[% END %]",
-	"platform": {
-		"os": "linux",
-		"arch": "amd64"
-	},
-	"process": {
-		"terminal": [% IF c("interactive") %]true[% ELSE %]false[% END %],
-		"user": {
-			"uid": 0,
-			"gid": 0
-		},
-		"args": [
-			"/rbm/run"
-		],
-		"env": [
-			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-			"TERM=xterm"
-		],
-		"cwd": "/",
-[% IF c("var_p/runc_spec100") -%]
-		"capabilities": {
-			"bounding": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_MKNOD",
-				"CAP_SYS_CHROOT",
-[% IF c("var/container/CAP_SYS_ADMIN") -%]
-				"CAP_SYS_ADMIN",
-[% END -%]
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_DAC_OVERRIDE",
-				"CAP_CHOWN"
-			],
-			"effective": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_MKNOD",
-				"CAP_SYS_CHROOT",
-[% IF c("var/container/CAP_SYS_ADMIN") -%]
-				"CAP_SYS_ADMIN",
-[% END -%]
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_DAC_OVERRIDE",
-				"CAP_CHOWN"
-			],
-			"inheritable": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_MKNOD",
-				"CAP_SYS_CHROOT",
-[% IF c("var/container/CAP_SYS_ADMIN") -%]
-				"CAP_SYS_ADMIN",
-[% END -%]
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_DAC_OVERRIDE",
-				"CAP_CHOWN"
-			],
-			"permitted": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_MKNOD",
-				"CAP_SYS_CHROOT",
-[% IF c("var/container/CAP_SYS_ADMIN") -%]
-				"CAP_SYS_ADMIN",
-[% END -%]
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_DAC_OVERRIDE",
-				"CAP_CHOWN"
-			],
-			"ambient": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_MKNOD",
-				"CAP_SYS_CHROOT",
-[% IF c("var/container/CAP_SYS_ADMIN") -%]
-				"CAP_SYS_ADMIN",
-[% END -%]
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_DAC_OVERRIDE",
-				"CAP_CHOWN"
-			]
-		},
-[% ELSE -%]
-		"capabilities": [
-			"CAP_AUDIT_WRITE",
-			"CAP_KILL",
-			"CAP_NET_BIND_SERVICE",
-			"CAP_SETGID",
-			"CAP_SETUID",
-			"CAP_MKNOD",
-			"CAP_SYS_CHROOT",
-[% IF c("var/container/CAP_SYS_ADMIN") -%]
-			"CAP_SYS_ADMIN",
-[% END -%]
-			"CAP_FSETID",
-			"CAP_FOWNER",
-			"CAP_DAC_OVERRIDE",
-			"CAP_CHOWN"
-		],
-[% END -%]
-		"noNewPrivileges": true
-	},
-	"root": {
-		"path": "rootfs",
-		"readonly": false
-	},
-	"hostname": "runc",
-	"mounts": [
-		{
-			"destination": "/proc",
-			"type": "proc",
-			"source": "proc"
-		},
-		{
-			"type": "bind",
-			"source": "/etc/resolv.conf",
-			"destination": "/etc/resolv.conf",
-			"options": [
-				"rbind",
-				"ro"
-			]
-		},
-		{
-			"destination": "/dev",
-			"type": "tmpfs",
-			"source": "tmpfs",
-			"options": [
-				"nosuid",
-				"strictatime",
-				"mode=755",
-				"size=65536k"
-			]
-		},
-		{
-			"destination": "/dev/pts",
-			"type": "devpts",
-			"source": "devpts",
-			"options": [
-				"nosuid",
-				"noexec",
-				"newinstance",
-				"ptmxmode=0666",
-				"mode=0620",
-				"gid=5"
-			]
-		},
-		{
-			"destination": "/dev/shm",
-			"type": "tmpfs",
-			"source": "shm",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev",
-				"mode=1777",
-				"size=65536k"
-			]
-		},
-		{
-			"destination": "/dev/mqueue",
-			"type": "mqueue",
-			"source": "mqueue",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev"
-			]
-		},
-		{
-			"destination": "/sys",
-			"type": "sysfs",
-			"source": "sysfs",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev",
-				"ro"
-			]
-		},
-		{
-			"destination": "/sys/fs/cgroup",
-			"type": "cgroup",
-			"source": "cgroup",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev",
-				"relatime",
-				"ro"
-			]
-		}
-	],
-	"hooks": {},
-	"linux": {
-		"resources": {
-			"devices": [
-				{
-					"allow": false,
-					"access": "rwm"
-				}
-			]
-		},
-		"namespaces": [
-			{
-				"type": "pid"
-			},
-			{
-				"type": "ipc"
-			},
-			{
-				"type": "uts"
-			},
-[% IF c("var/container/disable_network/" _ c("exec_name")) -%]
-			{
-				"type": "network",
-				"path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
-			},
-[% END -%]
-			{
-				"type": "mount"
-			}
-		],
-		"maskedPaths": [
-			"/proc/kcore",
-			"/proc/latency_stats",
-			"/proc/timer_stats",
-[% IF c("var_p/runc_spec100") -%]
-			"/proc/timer_list",
-			"/sys/firmware",
-[% END -%]
-			"/proc/sched_debug"
-		],
-		"readonlyPaths": [
-			"/proc/asound",
-			"/proc/bus",
-			"/proc/fs",
-			"/proc/irq",
-			"/proc/sys",
-			"/proc/sysrq-trigger"
-		]
-	},
-	"solaris": {
-		"cappedCPU": {},
-		"cappedMemory": {}
-	}
-}
--- a/projects/container-image/config
+++ b/projects/container-image/config
@@ -70,9 +70,9 @@ remote_get: |
    SET dst = shell_quote(c('get_dst', { error_if_undef => 1 }));
  -%]
  mkdir -p "[% dst %]"
-  sudo tar -C "[% c("var/container/dir") %]/rootfs" -czf "[% dst %]/[% c("filename") %]" .
+  [% c("rbmdir") %]/container archive '[% c("var/container/dir") %]' "[% dst %]/[% c("filename") %]"

 input_files:
-  - project: debootstrap-image
+  - project: mmdebstrap-image
    target:
      - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
--- a/projects/debootstrap-image/config
+++ b/projects/debootstrap-image/config
-# vim: filetype=yaml sw=2
-filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %]-[% c("version") %].tar.gz'
-version: 3
-pkg_type: build
-
-var:
-  ubuntu_version: 20.04.1
-
-  container:
-    use_container: 1
-    # We need CAP_SYS_ADMIN for debootstrap to work
-    CAP_SYS_ADMIN: 1
-
-pre: |
-  #!/bin/sh
-  set -e
-  export DEBIAN_FRONTEND=noninteractive
-  apt-get update -y -q
-  apt-get install -y -q debian-archive-keyring ubuntu-keyring debootstrap
-  debootstrap --arch=[% c("var/container/arch") %] [% c("var/container/debootstrap_opt") %] [% c("var/container/suite") %] base-image [% c("var/container/debootstrap_mirror") %]
-  [% IF c("var/apt_package_filename") || c("var/apt_utils_package_filename") || c("var/libapt_inst_package_filename") || c("var/libapt_pkg_package_filename") -%]
-    mkdir ./base-image/apt-update
-    mv [% c("var/apt_package_filename") %] [% c("var/apt_utils_package_filename") %] \
-       [% c("var/libapt_inst_package_filename") %] [% c("var/libapt_pkg_package_filename") %] \
-       ./base-image/apt-update
-    mount proc ./base-image/proc -t proc
-    mount sysfs ./base-image/sys -t sysfs
-    chroot ./base-image dpkg -i -R /apt-update
-    umount ./base-image/proc
-    umount ./base-image/sys
-  [% END -%]
-  [% IF c("var/minimal_apt_version") -%]
-    apt_version=$(dpkg --admindir=$(pwd)/base-image/var/lib/dpkg -s apt | grep '^Version: ' | cut -d ' ' -f 2)
-    echo "apt version: $apt_version"
-    dpkg --compare-versions "$apt_version" ge '[% c("var/minimal_apt_version") %]'
-  [% END -%]
-  tar -C ./base-image -czf [% dest_dir %]/[% c("filename") %] .
-
-targets:
-  jessie-amd64:
-    var:
-      minimal_apt_version: 1.0.9.8.7
-      # CVE-2020-27350
-      apt_packages_baseurl: https://deb.freexian.com/extended-lts/pool/main/a/apt
-      apt_package_filename: apt_1.0.9.8.7_amd64.deb
-      apt_package_sha256sum: 02d5c6240e3410234e91facd4279c1acdce1523b583e05fac7ad64bdc75db7c7
-      apt_utils_package_filename: apt-utils_1.0.9.8.7_amd64.deb
-      apt_utils_package_sha256sum: aa6f0cc7cf2e7cc6e5c56782019cd651d26b01d280aef4d25288587e198ff2d3
-      libapt_inst_package_filename: libapt-inst1.5_1.0.9.8.7_amd64.deb
-      libapt_inst_package_sha256sum: a85c99a64f3d6cdde5bf0849649c2d5f21c7513987854628659ea014bc3eb214
-      libapt_pkg_package_filename: libapt-pkg4.12_1.0.9.8.7_amd64.deb
-      libapt_pkg_package_sha256sum: 0db2410376516f3420594647afc72dc99b48a44877eae4e8c79444a8244e988f
-
-      container:
-        suite: jessie
-        arch: amd64
-
-  buster-amd64:
-    var:
-      minimal_apt_version: 1.8.2
-      container:
-        suite: buster
-        arch: amd64
-
-input_files:
-  - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
-    filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
-    sha256sum: 97f6cbcf41f39272c84e32b6f926ed5d6906c6e463a557025181f4aa191ad667
-  - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/apt_package_filename") %]'
-    sha256sum: '[% c("var/apt_package_sha256sum") %]'
-    enable: '[% c("var/apt_package_filename") %]'
-  - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/apt_utils_package_filename") %]'
-    sha256sum: '[% c("var/apt_utils_package_sha256sum") %]'
-    enable: '[% c("var/apt_utils_package_filename") %]'
-  - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/libapt_inst_package_filename") %]'
-    sha256sum: '[% c("var/libapt_inst_package_sha256sum") %]'
-    enable: '[% c("var/libapt_inst_package_filename") %]'
-  - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/libapt_pkg_package_filename") %]'
-    sha256sum: '[% c("var/libapt_pkg_package_sha256sum") %]'
-    enable: '[% c("var/libapt_pkg_package_filename") %]'
--- a/projects/debootstrap-image/build
+++ b/projects/debootstrap-image/build
--- a/projects/mmdebstrap-image/config
+++ b/projects/mmdebstrap-image/config
+# vim: filetype=yaml sw=2
+filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %]-[% c("version") %].tar.gz'
+version: 1
+pkg_type: build
+
+var:
+  ubuntu_version: 20.04.1
+
+  container:
+    use_container: 1
+
+pre: |
+  #!/bin/sh
+  set -e
+  rootdir=$(pwd)
+  export DEBIAN_FRONTEND=noninteractive
+  apt-get update -y -q
+  apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg patch
+
+  export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
+  tar -xf [% c('input_files_by_name/mmdebstrap') %]
+  # As a user namespace inside an other user namespace doesn't seem to work,
+  # we patch mmdebstrap to avoid creating a new user namespace
+  patch -d mmdebstrap -p1 < mmdebstrap-no-user-ns.patch
+  ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]
+
+  [% IF c("var/minimal_apt_version") -%]
+    mkdir base-image
+    tar -C base-image -xf output.tar.gz ./var/lib/dpkg
+    apt_version=$(dpkg --admindir=$rootdir/base-image/var/lib/dpkg -s apt | grep '^Version: ' | cut -d ' ' -f 2)
+    echo "apt version: $apt_version"
+    dpkg --compare-versions "$apt_version" ge '[% c("var/minimal_apt_version") %]'
+  [% END -%]
+
+  mv output.tar.gz [% dest_dir %]/[% c("filename") %]
+
+targets:
+  jessie-amd64:
+    var:
+      minimal_apt_version: 1.0.9.8.6
+
+      container:
+        suite: jessie
+        arch: amd64
+
+  buster-amd64:
+    var:
+      minimal_apt_version: 1.8.2
+      container:
+        suite: buster
+        arch: amd64
+
+input_files:
+  - project: mmdebstrap
+    name: mmdebstrap
+  - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
+    filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
+    sha256sum: 97f6cbcf41f39272c84e32b6f926ed5d6906c6e463a557025181f4aa191ad667
+  - filename: mmdebstrap-no-user-ns.patch
--- a/projects/mmdebstrap-image/mmdebstrap-no-user-ns.patch
+++ b/projects/mmdebstrap-image/mmdebstrap-no-user-ns.patch
+diff --git a/mmdebstrap b/mmdebstrap
+index 9b7d892..5d85a74 100755
+--- a/mmdebstrap
+++ b/mmdebstrap
+@@ -204,6 +204,7 @@ sub get_tar_compressor {
+ }
+ 
+ sub test_unshare {
+    return 1;
+     my $verbose = shift;
+     if ($EFFECTIVE_USER_ID == 0) {
+         my $msg = "cannot use unshare mode when executing as root";
+@@ -382,7 +383,7 @@ sub get_unshare_cmd {
+     my $idmap = shift;
+ 
+     my $unshare_flags
+-      = $CLONE_NEWUSER | $CLONE_NEWNS | $CLONE_NEWPID | $CLONE_NEWUTS
+      = $CLONE_NEWNS | $CLONE_NEWPID | $CLONE_NEWUTS
+       | $CLONE_NEWIPC;
+ 
+     if (0) {
+@@ -457,6 +458,8 @@ sub get_unshare_cmd {
+                     $gidmapcmd .= " $hostid $nsid $range";
+                 }
+             }
+	    $uidmapcmd = "";
+	    $gidmapcmd = "";
+             my $idmapcmd = '';
+             if ($uidmapcmd ne "") {
+                 0 == system "newuidmap $ppid $uidmapcmd"
--- a/projects/mmdebstrap/build
+++ b/projects/mmdebstrap/build
+#!/bin/bash
+[% c("var/set_default_env") -%]
+tar xf [% project %]-[% c("version") %].tar.gz
+mv [% project %]-[% c("version") %] [% project %]
+[% c('tar', {
+        tar_src => [ project ],
+        tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
+    }) %]
--- a/projects/mmdebstrap/config
+++ b/projects/mmdebstrap/config
+# vim: filetype=yaml sw=2
+version: 655857e5259436755f34b908d07a6ebd4c8b0303
+git_url: http://gitlab.mister-muffin.de/josch/mmdebstrap.git
+git_hash: '[% c("version") %]'
+filename: '[% project %]-src-[% c("version") %]-[% c("var/build_id") %].tar.gz'
--- a/rbm @ cfb4018d
+++ b/rbm @ cfb4018d
-Subproject commit 15c84760ebe3f2677d1212aa00ef6f7485446a69
+Subproject commit cfb4018d34400e43837e77754519b3c2761b7ae6
--- a/rbm.conf
+++ b/rbm.conf
@@ -495,13 +495,13 @@ gpg_wrapper: |
        exec [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@"
  fi

-remote_start: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_start") %][% END %]'
-remote_exec: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_exec") %][% END %]'
-remote_put: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_put") %][% END %]'
-remote_get: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_get") %][% END %]'
-remote_finish: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_finish") %][% END %]'
+remote_start: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_start") %][% END %]'
+remote_exec: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_exec") %][% END %]'
+remote_put: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_put") %][% END %]'
+remote_get: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_get") %][% END %]'
+remote_finish: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_finish") %][% END %]'

-runc:
+container:
  remote_start: |
    #!/bin/sh
    set -e
@@ -511,11 +511,9 @@ runc:
      ls -l '[% c("remote_srcdir") %]' >&2
      exit 1
    fi
-    mkdir -p '[% c("var/container/dir") %]'/rootfs/rbm
-    sudo tar -C '[% c("var/container/dir") %]'/rootfs -xf $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*)
-    [% SET user = c("var/container/user") -%]
-    [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'id ' _ user
-        _ ' >/dev/null 2>&1 || adduser -m ' _ user _ ' || useradd -m ' _ user }) %]
+    [% c("rbmdir") %]/container extract '[% c("var/container/dir") %]' '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*
+    test -d '[% c("var/container/dir") %]'/home/rbm || \
+      [% c("rbmdir") %]/container run --chroot='[% c("var/container/dir") %]' -- /usr/sbin/useradd -m [% c("var/container/user") %]

  remote_exec: |
    #!/bin/sh
@@ -523,26 +521,27 @@ runc:
    [% IF c("interactive") -%]
      echo Container directory: [% shell_quote(c("var/container/dir")) %]
    [% END -%]
-    mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/rbm
-    echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/cmd
-    echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rootfs/rbm/cmd
-    echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/run
-    [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %]
-    echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rootfs/rbm/run
-    chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/cmd
-    chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/run
-    cat > '[% c("var/container/dir") %]'/config.json << EOF
-    [% INCLUDE 'runc-config.json' %]
-    EOF
-    [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
-      sudo ip netns add 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]'
-      # make sure the lo interface is up (see bug 31293)
-      sudo ip netns exec 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' ip link set lo up
-    [% END -%]
-    sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %]
+    mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rbm
+    echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rbm/cmd
+    echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rbm/cmd
+    echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rbm/run
    [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
-      sudo ip netns delete 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]'
+      # Some programs such as gradle need the lo interface to be up.
+      # See for example tor-browser#31293
+      echo 'ip link set lo up' >> '[% c("var/container/dir") %]'/rbm/run
    [% END -%]
+    [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %]
+    echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rbm/run
+    chmod +x '[% c("var/container/dir") %]'/rbm/cmd
+    chmod +x '[% c("var/container/dir") %]'/rbm/run
+    [%
+       IF c("var/container/disable_network/" _ c("exec_name"));
+         SET disable_network = '--disable-network';
+       ELSE;
+         SET disable_network = '';
+       END;
+    -%]
+    [% c("rbmdir") %]/container run [% disable_network %] --chroot='[% c("var/container/dir") %]' -- /rbm/run

  remote_put: |
    #!/bin/sh
@@ -551,12 +550,7 @@ runc:
      SET src = shell_quote(c('put_src', { error_if_undef => 1 }));
      SET dst = shell_quote(c('put_dst', { error_if_undef => 1 }));
    -%]
-    sudo mkdir -p '[% c("var/container/dir") %]'/rootfs/[% dst %]
-    sudo cp -aP [% src %] '[% c("var/container/dir") %]'/rootfs/[% dst %]
-    # On Ubuntu, the /root/.profile file contains a `mesg n` line which is
-    # producing some `stdin: is not a tty` messages. To hide them, we hide
-    # stderr from this part by setting runc_hide_stderr.
-    [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'chown -R ' _ c("var/container/user") _ ' ' _ dst, runc_hide_stderr => 1 }) %]
+    [% c("rbmdir") %]/container put '[% c("var/container/dir") %]' [% src %] [% dst %] [% c("var/container/user") %]

  remote_get: |
    #!/bin/sh
@@ -565,24 +559,12 @@ runc:
      SET src = shell_quote(c('get_src', { error_if_undef => 1 }));
      SET dst = shell_quote(c('get_dst', { error_if_undef => 1 }));
    -%]
-    mkdir -p [% dst %]
-    srcdir='[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/[% src %]
-    sudo chown -R $(whoami) "$srcdir"
-    if [ $(ls -1 "$srcdir"/* 2> /dev/null | wc -l) -gt 0 ]
-    then
-      for file in "$srcdir"/*
-      do
-        bname="$(basename "$file")"
-        test -e [% dst %]/"$bname" && rm -Rf [% dst %]/"$bname"
-        mv -f "$file" [% dst %]/
-      done
-    fi
+    [% c("rbmdir") %]/container get '[% c("var/container/dir") %]' [% src %] [% dst %]

  remote_finish: |
    #!/bin/sh
    set -e
-    sudo rm -Rf '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs '[% c("var/container/dir", { error_if_undef => 1 }) %]'/config.json
-    rmdir '[% c("var/container/dir") %]'
+    [% c("rbmdir") %]/container remove '[% c("var/container/dir") %]'

 ENV:
  TZ: UTC
@@ -592,18 +574,6 @@ ENV:
  use IO::CaptureOutput qw(capture_exec);
  (
    var_p => {
-      # runc100 is true if we are using runc >= 1.0.0
-      # we assume that any version that is not 0.1.1 is >= 1.0.0
-      runc100 => sub {
-        my ($out) = capture_exec('sudo', 'runc', '--version');
-        return !($out =~ m/^runc version 0.1.1/);
-      },
-      # runc_spec100 is true if runc spec is at least 1.0.0
-      # We will need to update this when there is a new spec version available
-      runc_spec100 => sub {
-        my ($out) = capture_exec('sudo', 'runc', '--version');
-        return $out =~ m/^.*spec: 1\.[0-9]+\.[0-9]+(?:-dev)?$/m;
-      },
      nightly_torbrowser_version => sub {
        state $version = '';
        return $version if $version;