docker: gate --privileged behind DOCKER_PRIVILEGED toggle (default yes)

[iav]

Summary

Introduces a DOCKER_PRIVILEGED env var (default yes) gating the
hardcoded --privileged flag on the build container. When set to no,
the container launches with a narrow capability set instead.

This is intentionally a conservative first step: default behaviour
is unchanged. A follow-up PR can flip the default to no after
broader board coverage is confirmed.

Motivation

--privileged has been hardcoded in lib/functions/host/docker.sh:384
since 2022 (commit d24d3327a8). The original comment cited two
reasons:

Running this container in privileged mode is a simple way to solve
loop device access issues, required for USB FEL or when writing
image directly to the block device, when CARD_DEVICE is defined

Both reasons are stale today:

• USB FEL support was removed in ca6bf9046b (2023-02-09).
• CARD_DEVICE is passed explicitly via
  DOCKER_ARGS+=("--device=${CARD_DEVICE}") at docker.sh:471.

The surrounding code already has a near-complete narrow-capability
setup:

--cap-add=SYS_ADMIN, MKNOD, SYS_PTRACE
--security-opt=apparmor:unconfined
--device-cgroup-rule='b 7:* rmw'      # loop majors
--device-cgroup-rule='b 259:* rmw'    # loop partitions
-v /dev:/tmp/dev:ro                   # CONTAINER_COMPAT trick
--device=${loop_device_host}          # specific loops

This PR adds the two missing pieces to make a non-privileged container
usable for armbian builds:

• --device=/dev/loop-control:/dev/loop-control — losetup -f needs
  /dev/loop-control, not exposed without --privileged.
• --security-opt=seccomp=unconfined — default seccomp profile may
  block mount, pivot_root, unshare even with CAP_SYS_ADMIN,
  which breaks debootstrap and chroot setup.

Tested

• Host: aarch64 (Armbian 26.2.1 noble), kernel 7.0.1, Docker 29.4.1.

• Builds (all with ARTIFACT_IGNORE_CACHE=yes DOCKER_PRIVILEGED=no RELEASE=noble, full image build: debootstrap, loop, parted, mkfs,
  chroot, zstd, rsync):

  Board	Family	Arch	Profile	Kernel	Runtime
  odroidm1	rockchip64	arm64	minimal	7.0.2	49 min
  helios4	mvebu	armhf	server	6.18.25	134 min
  helios64	rockchip64	arm64	server	7.0.2	47 min

  All three: 🐳 successful, image written, no Operation not permitted / seccomp / loop_control errors in the log.

• DOCKER_PRIVILEGED unset (default yes) verified separately to keep
  current behaviour.

Out of scope

• The losetup helper at docker.sh:619 (docker run --rm --privileged --cap-add=MKNOD ...) is unchanged. It is gated by /dev/loop0
  missing on the host, which is rare on Linux. A follow-up could mirror
  the toggle there.
• The @TODO rpardini: maybe it's dead already? on --cap-add=SYS_PTRACE
  is left as-is — orthogonal to this change.

Follow-up

After this lands and gets exercise on more boards, a one-line PR can
flip the default to no.

Summary by CodeRabbit

• New Features
  • Docker container execution now supports configurable privileged mode settings, allowing users to control container security behavior. When privileged mode is enabled, containers run with full privileges. When disabled, the system adjusts device access and security constraints automatically. This provides flexibility for different deployment scenarios while maintaining backward compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: affaadc8-490c-408d-a581-ac5d43299ed4

📥 Commits

Reviewing files that changed from the base of the PR and between 73a3e49 and 0f91d02.

📒 Files selected for processing (1)

• lib/functions/host/docker.sh

---

📝 Walkthrough

Walkthrough

The Docker container launch logic in the host functions is modified to conditionally control privileged mode via a DOCKER_PRIVILEGED variable, defaulting to yes. When disabled, the container applies alternative security settings including explicit loop-control device access and unconfined seccomp.

Changes

Cohort / File(s)	Summary
Docker Privileged Mode Control lib/functions/host/docker.sh	Replaced unconditional privileged container launch with conditional logic: appends --privileged when DOCKER_PRIVILEGED=yes (default), otherwise applies --security-opt=seccomp=unconfined and adds loop-control device access.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A docker dance, so fine and neat,
With privilege control, now quite discreet,
When yes it says, full power flows,
When not, seccomp relaxes its throes!
Loop devices granted, restrictions eased—
Configuration blessed, complexity ceased! 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introducing a DOCKER_PRIVILEGED toggle that gates the --privileged flag with a default of yes, matching the file-level changes and PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[igorpecovnik]

I am OK to merge, run tests in unprivileged mode on CI, then proceed with follow up.

RKflashing came to my mind, but its not supported under Docker anyway:
https://github.com/armbian/build/blob/main/extensions/rkdevflash.sh#L26

[iav]

@igorpecovnik thanks. Which combinations would you like me to run locally with PREFER_DOCKER=yes DOCKER_PRIVILEGED=no?

[igorpecovnik]

yes

[iav]

As I already wrote in the PR message, I have already put together several images like this.
Let me know if you want me to check other devices or any additional settings.
Sad I can't run on Runner on Github.

[igorpecovnik]

Sad I can't run on Runner on Github.

Oh, true. Now you can.

https://github.com/armbian/os/actions/workflows/complete-artifact-matrix-standard-support.yml

When executing, you can choose "Framework build branch" ... when adding new (branch must exists here, not on your fork), you need to run https://github.com/armbian/os/actions/workflows/recreate-matrix.yml so it gets there.

[iav]

There it is!
https://github.com/armbian/os/actions/runs/25348467781
However, since this is the first time I have seen this tool in front of me, I am not sure that I have used it correctly, and I do not fully understand what exactly I am seeing.

[igorpecovnik]

Yes, correct and it seems working. Artifacts - when needed - https://fi.mirror.armbian.de/incoming/iav/

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!