From 4c472d0827462309993f44036f0ffc4cc20a212b Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Sun, 25 Jan 2026 20:55:38 +0000
Subject: [PATCH] chore: prefer docker over podman for LXC compatibility

Podman rootless mode requires complex uid/gid mapping in LXC
containers. Docker works out of the box with nesting enabled.

Podman still supported as fallback if docker unavailable.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/app/services/sandbox.py | 14 +++++++-------
 scripts/setup-sandbox.sh        | 10 +++++-----
 scripts/test-iso-build.sh       |  8 ++++----
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/backend/app/services/sandbox.py b/backend/app/services/sandbox.py
index c93dbdb..81620c7 100644
--- a/backend/app/services/sandbox.py
+++ b/backend/app/services/sandbox.py
@@ -4,9 +4,9 @@ Container-based sandbox for isolated ISO builds.
 Runs archiso inside an Arch Linux container, allowing builds
 from any Linux host (Debian, Ubuntu, Fedora, etc.).
 
-Supports both Podman (preferred) and Docker:
-- Podman: Rootless by default, no daemon, better security
-- Docker: Fallback if Podman not available
+Supports both Docker (default) and Podman:
+- Docker: Better LXC/nested container compatibility
+- Podman: Rootless option if Docker unavailable
 
 Security measures:
 - --network=none: No network access during build
@@ -42,14 +42,14 @@ def detect_container_runtime() -> str | None:
     """
     Detect available container runtime.
 
-    Prefers Podman for rootless security, falls back to Docker.
+    Prefers Docker for LXC/development compatibility, falls back to Podman.
     Returns the command name or None if neither available.
     """
-    # Prefer podman for rootless security
-    if shutil.which("podman"):
-        return "podman"
+    # Prefer docker for better LXC compatibility
     if shutil.which("docker"):
         return "docker"
+    if shutil.which("podman"):
+        return "podman"
     return None
 
 
diff --git a/scripts/setup-sandbox.sh b/scripts/setup-sandbox.sh
index 04a9fa7..c350ac7 100755
--- a/scripts/setup-sandbox.sh
+++ b/scripts/setup-sandbox.sh
@@ -14,13 +14,13 @@ log() {
     echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
 }
 
-# Detect container runtime (prefer podman)
-if command -v podman &> /dev/null; then
-    RUNTIME="podman"
-    log "Found podman (recommended)"
-elif command -v docker &> /dev/null; then
+# Detect container runtime (prefer docker for LXC compatibility)
+if command -v docker &> /dev/null; then
     RUNTIME="docker"
     log "Found docker"
+elif command -v podman &> /dev/null; then
+    RUNTIME="podman"
+    log "Found podman"
 else
     log "ERROR: No container runtime found."
     log "Install podman (recommended) or docker:"
diff --git a/scripts/test-iso-build.sh b/scripts/test-iso-build.sh
index e0c7eea..711f311 100755
--- a/scripts/test-iso-build.sh
+++ b/scripts/test-iso-build.sh
@@ -16,11 +16,11 @@ log() {
     echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
 }
 
-# Detect container runtime
-if command -v podman &> /dev/null; then
-    RUNTIME="podman"
-elif command -v docker &> /dev/null; then
+# Detect container runtime (prefer docker for LXC compatibility)
+if command -v docker &> /dev/null; then
     RUNTIME="docker"
+elif command -v podman &> /dev/null; then
+    RUNTIME="podman"
 else
     log "ERROR: No container runtime found. Install podman or docker."
     exit 1