Builds should start a VM instead of a container

[Conan-Kudo]

Truly hermetic builds require complete isolation from the host, including removal of the influence of the host kernel and system properties. In order to do so, Mock needs to learn how to boot up a lightweight virtual machine, similar to what obs-build does in this scenario (and to note, this is the default for obs-build).

This would essentially mean adding a third runtime backend (in addition to simple and nspawn) for KVM, and maybe also a fourth one for plain QEMU (for foreign arch builds).

The code from obs-build is fairly straightforward:

• KVM: https://github.com/openSUSE/obs-build/blob/master/build-vm-kvm
• QEMU: https://github.com/openSUSE/obs-build/blob/master/build-vm-qemu

This would also resolve several problems we have with container-based builds where host properties leak and break things (like #952, #691, #1100, #1222, #1487, #1554, and so on).

[xsuchy]

Technically, you are correct. However, for Konflux's purposes, the isolation in the container is good enough.
I think any PR that implements what you suggest will be welcomed.

[Conan-Kudo]

Technically, you are correct. However, for Konflux's purposes, the isolation in the container is good enough. I think any PR that implements what you suggest will be welcomed.

I wasn't really speaking of Konflux, but even in Konflux's case, container "isolation" is not good enough. We have packages in Fedora that fail because of quirks with container based runs. For example, the fish package test suite regularly randomly fails due to host-related quirks. There are test suites that can't run because they require access to "hardware devices" (most Wayland compositor test suites are like this, even if they don't pump out graphics).

Containers and chroots have always been not good enough for our purposes, what's pushing me over the edge is that it's a problem for image builds too and we really need to do better.