scripts/create_container.sh

#!/bin/bash
set -euo pipefail

# Our local user needs write access to /dev/kvm (best accomplished by
# adding your user to the kvm group).
if ! touch /dev/kvm; then
  echo "Cannot write to /dev/kvm - please verify permissions."
  exit 1
fi

# The KVM module needs to be loaded, since our container is unprivileged
# and won't be able to do it itself.
if ! [[ -d /sys/module/kvm ]]; then
  echo "kvm module not loaded - please modprobe kvm"
  exit 1
fi

# Rebuild base image
podman build -t smalltown-builder .

# Set up SELinux contexts to prevent the container from writing to
# files that would allow for easy breakouts via tools ran on the host.
chcon -R system_u:object_r:container_file_t:s0 .
chcon -R unconfined_u:object_r:user_home_t:s0 \
  .arcconfig .idea .git

# TODO(leo): mount .cache/bazel on a volume (waiting for podman issue to be fixed)
# https://github.com/containers/libpod/issues/4318
podman run -it -d \
    -v $(pwd):/work \
    -v smalltown-gopath:/root/go/pkg \
    -v smalltown-gobuildcache:/root/.cache/go-build \
    -v smalltown-bazelcache:/root/.cache/bazel/_bazel_root/cache \
    --tmpfs=/root/.cache/bazel:exec \
    --device /dev/kvm \
    --privileged \
    --userns=keep-id \
    --name=smalltown-dev \
    smalltown-builder