Podman rootless mode requires complex uid/gid mapping in LXC
containers. Docker works out of the box with nesting enabled.
Podman still supported as fallback if docker unavailable.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace systemd-nspawn (Arch-only) with Podman/Docker containers:
- Works on any Linux host (Debian, Ubuntu, Fedora, etc.)
- Prefers Podman for rootless security, falls back to Docker
- Uses archlinux:latest image with archiso installed
- Network isolation via --network=none
- Resource limits: 8GB RAM, 4 CPUs
- Deterministic builds via SOURCE_DATE_EPOCH
This allows ISO builds from any development/production environment
rather than requiring an Arch-based build server.
LXC/Proxmox users: enable nesting on the container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create scripts/setup-sandbox.sh to bootstrap Arch base environment
- Add BuildSandbox class for container management and build execution
- Configure sandbox with network isolation, read-only root, 8GB/4core limits
- Add sandbox_root and iso_output_root settings to config
