Use libcontainer for running containers

Drop the dependency on container engines like Docker or Podman by using
youki's `libcontainer` and `oci-spec` crates to run rootless containers,
while keeping all the logic doing that in our binary.

That solves the major problem we had with Docker - file ownership in
bind mounted volumes - where new files created inside container in a
volume with source code were owned by `root` and therefore inaccessible
for a regular user calling `icedragon`.

After this change, regular container engines are still used for building
the images.

Fixes #7

Author: vadorovsky

.github/workflows/ci.yml

@@ -79,6 +79,11 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
 
+      # AppArmor, which is used on GitHub runners, prevents icedragon from
+      # calling `unshare` as an unprivileged used.
+      # TODO(vadorovsky): Write an AppArmor profile.
+      - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
       # Integration tests perform cross builds of different projects. Run each
       # of them separately, so each build can utilize all the cores. Gather
       # their output for easier debugging of failed CI builds.

Cargo.toml

@@ -23,21 +23,38 @@ anyhow = { version = "1.0.89", default-features = false }
 chrono = { version = "0.4", default-features = false }
 clap = { version = "4.5", default-features = false, features = ["derive", "help", "std"] }
 env_logger = { version = "0.11", default-features = false }
+flate2 = { version = "1.0", default-features = false, features = ["rust_backend"] }
+indicatif = { version = "0.17", default-features = false }
+libcontainer = { version = "0.5", default-features = false, features = ["v2"] }
 log = { version = "0.4", default-features = false }
+nix = { version = "0.29.0", default-features = false }
+oci-client = { version = "0.14", default-features = false, features = ["rustls-tls"] }
+# libcontainer fails to build with newer versions. Not a direct dependency of
+# icedragon.
+protobuf = "=3.2.0"
+rand = { version = "0.9", default-features = false, features = ["os_rng", "std_rng"] }
 target-lexicon = { version = "0.12", default-features = false }
+tar = { version = "0.4", default-features = false }
 thiserror = { version = "1.0.64", default-features = false }
+tokio = { version = "1.44", default-features = false, features = ["process", "rt-multi-thread"] }
+tokio-stream = { version = "0.1", default-features = false }
 uuid = { version = "1.10", default-features = false, features = ["v4"] }
 which = { version = "6.0", default-features = false }
 
 [dev-dependencies]
-flate2 = { version = "1.0", default-features = false, features = ["rust_backend"] }
 goblin = { version = "0.9", default-features = false, features = ["elf32", "elf64", "endian_fd", "std"] }
 liblzma = { version = "0.3", default-features = false }
 reqwest = { version = "0.12", default-features = false, features = ["blocking", "rustls-tls"] }
 tar = { version = "0.4", default-features = false }
 tempfile = { version = "3.16", default-features = false }
 test-case = { version = "3.3", default-features = false }
 
+[patch.crates-io]
+# Fix which makes it possible to use rootless libcontainer without systemd:
+# https://github.com/youki-dev/youki/issues/3144
+# https://github.com/youki-dev/youki/pull/3146
+libcontainer = { git = "https://github.com/vadorovsky/youki", branch = "cgroupfs-rootless-warning" }
+
 [[bin]]
 name = "icedragon"