Unprivieged Docker/Podman container

[deliciouslytyped]

The docs on the website ( https://docs.sandstorm.io/en/latest/install/#option-6-using-sandstorm-within-docker ) currently state:

Sandstorm needs to start as root so it can do its own containerization of itself
With instructions like:

$ docker run --privileged -i -t -v sandstorm-data-volume:/opt/sandstorm --name sandstorm-build buildpack-deps bash -c 'useradd --system --user-group sandstorm ; curl https://install.sandstorm.io/ > install.sh && REPORT=no bash install.sh -d -e'
$ docker run --privileged -i -t --sig-proxy=true -p 0.0.0.0:6080:6080 -v sandstorm-data-volume:/opt/sandstorm buildpack-deps bash -c 'useradd --system --user-group sandstorm && /opt/sandstorm/sandstorm start && tail -f /opt/sandstorm/var/log/sandstorm.log & sleep infinity'

I've successfully used nested podman before, though things can get kind of funky - it should be possible to get rid of the --privileged somehow.

[ocdtrekkie]

The Docker setup is probably one of our least-tested approaches. If you find an improvement and can document it, it's definitely welcome, but we probably wouldn't be verifying it ourselves.