- Sandbox auto-detects podman/docker and handles sudo requirement
- Podman needs sudo for mkarchiso (loop devices, chroot)
- Docker runs privileged via daemon (no sudo needed)
- Test profile updated for UEFI-only boot (modern approach)
- Build VM (debate-builder) successfully produced 432MB ISO
Architecture:
- Dev LXC: FastAPI, PostgreSQL, code
- Build VM: Podman + archiso for ISO generation
- SSH triggers builds remotely
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Podman rootless mode requires complex uid/gid mapping in LXC
containers. Docker works out of the box with nesting enabled.
Podman still supported as fallback if docker unavailable.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace systemd-nspawn (Arch-only) with Podman/Docker containers:
- Works on any Linux host (Debian, Ubuntu, Fedora, etc.)
- Prefers Podman for rootless security, falls back to Docker
- Uses archlinux:latest image with archiso installed
- Network isolation via --network=none
- Resource limits: 8GB RAM, 4 CPUs
- Deterministic builds via SOURCE_DATE_EPOCH
This allows ISO builds from any development/production environment
rather than requiring an Arch-based build server.
LXC/Proxmox users: enable nesting on the container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create scripts/setup-sandbox.sh to bootstrap Arch base environment
- Add BuildSandbox class for container management and build execution
- Configure sandbox with network isolation, read-only root, 8GB/4core limits
- Add sandbox_root and iso_output_root settings to config
- Add FastAPI app with title 'Debate API' v1.0.0
- Configure pydantic-settings for environment-based configuration
- Create /health endpoint at root level
- Create /api/v1/health and /api/v1/health/ready endpoints
- Disable docs/redoc in production environment
