Opam init in Dockerfile

[bruce-ricard]

I am trying to run opam init in my Dockerfile, to create my own Docker image for my server to run in, but I am running into this issue:

docker run -it ubuntu:20.04 bash
apt update
apt install opam --yes
opam init --yes

bwrap: Creating new namespace failed: Operation not permitted

A similar question is asked in #3498 but in the context of a docker run command, but the answer doesn't work for me as we can't run docker build in privileged mode

I see that I can instead run opam init --disable-sandboxing, but I'm not really sure I want to do that. The documentation about this flag is not very helpful, I have no idea what sandboxing is in this context. Is using this option the recommended path to initialize opam in a container?

[avsm]

Sandboxing is a security mechanism to prevent source builds from doing writes outside of their build areas. We use bubblewrap (cgroups) for this on Linux, but it doesn't nest cleanly. You can either run your container as --privileged, in which case you can create namespaces and sandboxing will work.

You probably just want to run with --disable-sandboxing, as you already have container-level protection in place.