[PATCH v3 0/2] scripts: introduce containerized builds

[PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

This proposal emerged from discussions over email and after a talk at
Plumbers 2024:

    https://lore.kernel.org/all/affb7aff-dc9b-4263-bbd4-a7965c19ac4e@gtucker.io/

The aim is to facilitate reproducing builds for CI bots as well as
developers using containers.  Here's an illustrative example with a
kernel.org toolchain in a Docker image from tuxmake:

    $ scripts/container -i tuxmake/korg-clang-21 make LLVM=1 defconfig
      HOSTCC  scripts/basic/fixdep
      HOSTCC  scripts/kconfig/conf.o
    [...]
      HOSTCC  scripts/kconfig/util.o
      HOSTLD  scripts/kconfig/conf
    *** Default configuration is based on 'x86_64_defconfig'
    #
    # configuration written to .config
    #

This patch series also includes a documentation page with all the
relevant details and further examples about how to use the tool.

To go one step further, I'm in the process of preparing reference
container images with kernel.org toolchains and no third-party
dependencies other than the base Debian distro.  See this thread for
more details and options to host them in an upstream way:

    https://lore.kernel.org/all/cc737636-2a43-4a97-975e-4725733f7ee4@gtucker.io/

Say, to run KUnit using the latest kernel.org GCC toolchain:

    scripts/container --shell \
        -i registry.gitlab.com/gtucker/korg-containers/gcc:kunit -- \
        tools/testing/kunit/kunit.py \
            run \
            --arch=x86_64 \
            --cross_compile=x86_64-linux-

---
Changes in v3:
- Refactor common code for Docker and Podman
- Add docs.kernel.org URL in help message
- Use pathlib Python package
- Handle signals in parent process by default
- Add --shell option to use an interactive shell
- Tweak debug messages in verbose mode
- Specify Python 3.10 as minimum version in the docs
- Provide an example env file in the docs
- Update docs regarding interactive shell usage

Changes in v2:
- Drop default image but make -i option required
- Look for Docker and Podman if no runtime specified
- Catch SIGINT from user to abort container with Docker
- Explicitly name each container with a UUID
- Update documentation accordingly

---

Guillaume Tucker (2):
  scripts: add tool to run containerized builds
  Documentation: dev-tools: add container.rst page

 Documentation/dev-tools/container.rst | 201 ++++++++++++++++++++++++++
 Documentation/dev-tools/index.rst     |   1 +
 scripts/container                     | 199 +++++++++++++++++++++++++
 3 files changed, 401 insertions(+)
 create mode 100644 Documentation/dev-tools/container.rst
 create mode 100755 scripts/container

-- 
2.47.3

[PATCH v3 1/2] scripts: add tool to run containerized builds

[Guillaume Tucker]

Add a 'scripts/container' tool written in Python to run any command in
the source tree from within a container.  This can typically be used
to call 'make' with a compiler toolchain image to run reproducible
builds but any arbitrary command can be run too.  Only Docker and
Podman are supported in this initial version.

Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: David Gow <davidgow@google.com>
Cc: "Onur Özkan" <work@onurozkan.dev>
Link: https://lore.kernel.org/all/affb7aff-dc9b-4263-bbd4-a7965c19ac4e@gtucker.io/
Signed-off-by: Guillaume Tucker <gtucker@gtucker.io>
---
 scripts/container | 199 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 199 insertions(+)
 create mode 100755 scripts/container

diff --git a/scripts/container b/scripts/container
new file mode 100755
index 000000000000..dbe92630f05b
--- /dev/null
+++ b/scripts/container
@@ -0,0 +1,199 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0-only
+# Copyright (C) 2025 Guillaume Tucker
+
+"""Containerized builds"""
+
+import abc
+import argparse
+import logging
+import os
+import pathlib
+import shutil
+import subprocess
+import sys
+import uuid
+
+
+class ContainerRuntime(abc.ABC):
+    """Base class for a container runtime implementation"""
+
+    name = None  # Property defined in each implementation class
+
+    def __init__(self, args, logger):
+        self._uid = args.uid or os.getuid()
+        self._gid = args.gid or args.uid or os.getgid()
+        self._env_file = args.env_file
+        self._shell = args.shell
+        self._logger = logger
+
+    @classmethod
+    def is_present(cls):
+        """Determine whether the runtime is present on the system"""
+        return shutil.which(cls.name) is not None
+
+    @abc.abstractmethod
+    def _do_run(self, image, cmd, container_name):
+        """Runtime-specific handler to run a command in a container"""
+
+    @abc.abstractmethod
+    def _do_abort(self, container_name):
+        """Runtime-specific handler to abort a running container"""
+
+    def run(self, image, cmd):
+        """Run a command in a runtime container"""
+        container_name = str(uuid.uuid4())
+        self._logger.debug("container: %s", container_name)
+        try:
+            return self._do_run(image, cmd, container_name)
+        except KeyboardInterrupt:
+            self._logger.error("user aborted")
+            self._do_abort(container_name)
+            return 1
+
+
+class CommonRuntime(ContainerRuntime):
+    """Common logic for Docker and Podman"""
+
+    def _do_run(self, image, cmd, container_name):
+        cmdline = [self.name, 'run']
+        cmdline += self._get_opts(container_name)
+        cmdline.append(image)
+        cmdline += cmd
+        self._logger.debug('command: %s', ' '.join(cmdline))
+        return subprocess.call(cmdline)
+
+    def _get_opts(self, container_name):
+        opts = [
+            '--name', container_name,
+            '--rm',
+            '--volume', f'{pathlib.Path.cwd()}:/src',
+            '--workdir', '/src',
+        ]
+        if self._env_file:
+            opts += ['--env-file', self._env_file]
+        if self._shell:
+            opts += ['--interactive', '--tty']
+        return opts
+
+    def _do_abort(self, container_name):
+        subprocess.call([self.name, 'kill', container_name])
+
+
+class DockerRuntime(CommonRuntime):
+    """Run a command in a Docker container"""
+
+    name = 'docker'
+
+    def _get_opts(self, container_name):
+        return super()._get_opts(container_name) + [
+            '--user', f'{self._uid}:{self._gid}'
+        ]
+
+
+class PodmanRuntime(CommonRuntime):
+    """Run a command in a Podman container"""
+
+    name = 'podman'
+
+    def _get_opts(self, container_name):
+        return super()._get_opts(container_name) + [
+            '--userns', f'keep-id:uid={self._uid},gid={self._gid}',
+        ]
+
+
+class Runtimes:
+    """List of all supported runtimes"""
+
+    runtimes = [DockerRuntime, PodmanRuntime]
+
+    @classmethod
+    def get_names(cls):
+        """Get a list of all the runtime names"""
+        return list(runtime.name for runtime in cls.runtimes)
+
+    @classmethod
+    def get(cls, name):
+        """Get a single runtime class matching the given name"""
+        for runtime in cls.runtimes:
+            if runtime.name == name:
+                if not runtime.is_present():
+                    raise ValueError(f"runtime not found: {name}")
+                return runtime
+        raise ValueError(f"unknown runtime: {runtime}")
+
+    @classmethod
+    def find(cls):
+        """Find the first runtime present on the system"""
+        for runtime in cls.runtimes:
+            if runtime.is_present():
+                return runtime
+        raise ValueError("no runtime found")
+
+
+def _get_logger(verbose):
+    """Set up a logger with the appropriate level"""
+    logger = logging.getLogger('container')
+    handler = logging.StreamHandler()
+    handler.setFormatter(logging.Formatter(
+        fmt='[container {levelname}] {message}', style='{'
+    ))
+    logger.addHandler(handler)
+    logger.setLevel(logging.DEBUG if verbose is True else logging.INFO)
+    return logger
+
+
+def main(args):
+    """Main entry point for the container tool"""
+    logger = _get_logger(args.verbose)
+    try:
+        cls = Runtimes.get(args.runtime) if args.runtime else Runtimes.find()
+    except ValueError as ex:
+        logger.error(ex)
+        return 1
+    logger.debug("runtime: %s", cls.name)
+    logger.debug("image: %s", args.image)
+    return cls(args, logger).run(args.image, args.cmd)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        'container',
+        description="See the documentation for more details: "
+        "https://docs.kernel.org/dev-tools/container.html"
+    )
+    parser.add_argument(
+        '-e', '--env-file',
+        help="Path to an environment file to load in the container."
+    )
+    parser.add_argument(
+        '-g', '--gid',
+        help="Group ID to use inside the container."
+    )
+    parser.add_argument(
+        '-i', '--image', required=True,
+        help="Container image name."
+    )
+    parser.add_argument(
+        '-r', '--runtime', choices=Runtimes.get_names(),
+        help="Container runtime name.  If not specified, the first one found "
+        "on the system will be used i.e. Docker if present, otherwise Podman."
+    )
+    parser.add_argument(
+        '-s', '--shell', action='store_true',
+        help="Run the container in an interactive shell."
+    )
+    parser.add_argument(
+        '-u', '--uid',
+        help="User ID to use inside the container.  If the -g option is not "
+        "specified, the user ID will also be set as the group ID."
+    )
+    parser.add_argument(
+        '-v', '--verbose', action='store_true',
+        help="Enable verbose output."
+    )
+    parser.add_argument(
+        'cmd', nargs='+',
+        help="Command to run in the container"
+    )
+    sys.exit(main(parser.parse_args(sys.argv[1:])))
-- 
2.47.3

[PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Guillaume Tucker]

Add a dev-tools/container.rst documentation page for the
scripts/container tool.  This covers the basic usage with additional
information about environment variables and user IDs.  It also
includes a number of practical examples with a reference to the
experimental kernel.org toolchain images.

Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: David Gow <davidgow@google.com>
Cc: "Onur Özkan" <work@onurozkan.dev>
Signed-off-by: Guillaume Tucker <gtucker@gtucker.io>
---
 Documentation/dev-tools/container.rst | 201 ++++++++++++++++++++++++++
 Documentation/dev-tools/index.rst     |   1 +
 2 files changed, 202 insertions(+)
 create mode 100644 Documentation/dev-tools/container.rst

diff --git a/Documentation/dev-tools/container.rst b/Documentation/dev-tools/container.rst
new file mode 100644
index 000000000000..f6f134ec09f5
--- /dev/null
+++ b/Documentation/dev-tools/container.rst
@@ -0,0 +1,201 @@
+.. SPDX-License-Identifier: GPL-2.0-only
+.. Copyright (C) 2025 Guillaume Tucker
+
+====================
+Containerized Builds
+====================
+
+The ``container`` tool can be used to run any command in the kernel source tree
+from within a container.  Doing so facilitates reproducing builds across
+various platforms, for example when a test bot has reported an issue which
+requires a specific version of a compiler or an external test suite.  While
+this can already be done by users who are familiar with containers, having a
+dedicated tool in the kernel tree lowers the barrier to entry by solving common
+problems once and for all (e.g. user id management).  It also makes it easier
+to share an exact command line leading to a particular result.  The main use
+case is likely to be kernel builds but virtually anything can be run: KUnit,
+checkpatch etc. provided a suitable image is available.
+
+
+Options
+=======
+
+Command line syntax::
+
+  scripts/container -i IMAGE [OPTION]... CMD...
+
+Available options:
+
+``-e, --env-file ENV_FILE``
+
+    Path to an environment file to load in the container.
+
+``-g, --gid GID``
+
+    Group id to use inside the container.
+
+``-i, --image IMAGE``
+
+    Container image name (required).
+
+``-r, --runtime RUNTIME``
+
+    Container runtime name.  Supported runtimes: ``docker``, ``podman``.
+
+    If not specified, the first one found on the system will be used
+    i.e. Docker if present, otherwise Podman.
+
+``-s, --shell``
+
+    Run the container in an interactive shell.
+
+``-u, --uid UID``
+
+    User id to use inside the container.
+
+    If the ``-g`` option is not specified, the user id will also be used for
+    the group id.
+
+``-v, --verbose``
+
+    Enable verbose output.
+
+``-h, --help``
+
+    Show the help message and exit.
+
+
+Usage
+=====
+
+It's entirely up to the user to choose which image to use and the ``CMD``
+arguments are passed directly as an arbitrary command line to run in the
+container.  The tool will take care of mounting the source tree as the current
+working directory and adjust the user and group id as needed.
+
+The container image which would typically include a compiler toolchain is
+provided by the user and selected via the ``-i`` option.  The container runtime
+can be selected with the ``-r`` option, which can be either ``docker`` or
+``podman``.  If none is specified, the first one found on the system will be
+used.  Support for other runtimes may be added later depending on their
+popularity among users.
+
+By default, commands are run non-interactively.  The user can abort a running
+container with SIGINT (Ctrl-C).  To run commands interactively with a TTY, the
+``--shell`` or ``-s`` option can be used.  Signals will then be received by the
+shell directly rather than the parent ``container`` process.  To exit an
+interactive shell, use Ctrl-D or ``exit``.
+
+.. note::
+
+   The only host requirement aside from a container runtime is Python 3.10 or
+   later.
+
+
+Environment Variables
+=====================
+
+Environment variables are not propagated to the container so they have to be
+either defined in the image itself or via the ``-e`` option using an
+environment file.  In some cases it makes more sense to have them defined in
+the Containerfile used to create the image.  For example, a Clang-only compiler
+toolchain image may have ``LLVM=1`` defined.
+
+The local environment file is more useful for user-specific variables added
+during development.  It is passed as-is to the container runtime so its format
+may vary.  Typically, it will look like the output of ``env``.  For example::
+
+  INSTALL_MOD_STRIP=1
+  SOME_RANDOM_TEXT=One upon a time
+
+Please also note that ``make`` options can still be passed on the command line,
+so while this can't be done since the first argument needs to be the
+executable::
+
+  scripts/container -i tuxmake/korg-clang LLVM=1 make
+
+this will work::
+
+  scripts/container -i tuxmake/korg-clang make LLVM=1
+
+
+User IDs
+========
+
+This is an area where the behaviour will vary slightly depending on the
+container runtime.  The goal is to run commands as the user invoking the tool.
+With Podman, a namespace is created to map the current user id to a different
+one in the container (1000 by default).  With Docker, while this is also
+possible with recent versions it requires a special feature to be enabled in
+the daemon so it's not used here for simplicity.  Instead, the container is run
+with the current user id directly.  In both cases, this will provide the same
+file permissions for the kernel source tree mounted as a volume.  The only
+difference is that when using Docker without a namespace, the user id may not
+be the same as the default one set in the image.
+
+Say, we're using an image which sets up a default user with id 1000 and the
+current user calling the ``container`` tool has id 1234.  The kernel source
+tree was checked out by this same user so the files belong to user 1234.  With
+Podman, the container will be running as user id 1000 with a mapping to id 1234
+so that the files from the mounted volume appear to belong to id 1000 inside
+the container.  With Docker and no namespace, the container will be running
+with user id 1234 which can access the files in the volume but not in the user
+1000 home directory.  This shouldn't be an issue when running commands only in
+the kernel tree but it is worth highlighting here as it might matter for
+special corner cases.
+
+
+Examples
+========
+
+The shortest example is to run a basic kernel build using the default runtime
+(e.g. Docker) and a ``tuxmake`` Clang image::
+
+  scripts/container -i tuxmake/korg-clang -- make LLVM=1 defconfig
+  scripts/container -i tuxmake/korg-clang -- make LLVM=1 -j$(nproc)
+
+.. note::
+
+   When running a command with options within the container, it should be
+   separated with a double dash ``--`` to not confuse them with the
+   ``container`` tool options.  Plain commands with no options don't strictly
+   require the double dashes e.g.::
+
+     scripts/container -i tuxmake/korg-clang make mrproper
+
+To run ``checkpatch.pl`` in a ``patches`` directory with a generic image::
+
+  scripts/container -i perl:slim-trixie scripts/checkpatch.pl patches/*
+
+The examples below refer to ``kernel.org`` images which are based on the
+`kernel.org compiler toolchains
+<https://mirrors.edge.kernel.org/pub/tools/>`__.  These aren't (yet) officially
+available in any public registry but users can build their own locally instead
+using this `experimental repository
+<https://gitlab.com/gtucker/korg-containers>`__ by running ``make
+PREFIX=kernel.org/``.
+
+To build just ``bzImage`` using Clang::
+
+  scripts/container -i kernel.org/clang -- make bzImage -j$(nproc)
+
+Same with GCC 15 as a particular version tag::
+
+  scripts/container -i kernel.org/gcc:15 -- make bzImage -j$(nproc)
+
+To run KUnit in an interactive shell and get the full output::
+
+  scripts/container -s -i kernel.org/gcc:kunit -- \
+      tools/testing/kunit/kunit.py \
+          run \
+          --arch=x86_64 \
+          --cross_compile=x86_64-linux-
+
+To just start an interactive shell::
+
+  scripts/container -si kernel.org/gcc bash
+
+To build the HTML documentation, which requires the ``kdocs`` image built with
+``make PREFIX=kernel.org/ extra`` as it's not a compiler toolchain::
+
+  scripts/container -i kernel.org/kdocs make htmldocs
diff --git a/Documentation/dev-tools/index.rst b/Documentation/dev-tools/index.rst
index 4b8425e348ab..527a0e4cf2ed 100644
--- a/Documentation/dev-tools/index.rst
+++ b/Documentation/dev-tools/index.rst
@@ -38,6 +38,7 @@ Documentation/process/debugging/index.rst
    gpio-sloppy-logic-analyzer
    autofdo
    propeller
+   container
 
 
 .. only::  subproject and html
-- 
2.47.3

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

Hello,

On 31/12/2025 17:51, Guillaume Tucker wrote:
> Changes in v3:
> - Refactor common code for Docker and Podman
> - Add docs.kernel.org URL in help message
> - Use pathlib Python package
> - Handle signals in parent process by default
> - Add --shell option to use an interactive shell
> - Tweak debug messages in verbose mode
> - Specify Python 3.10 as minimum version in the docs
> - Provide an example env file in the docs
> - Update docs regarding interactive shell usage

I'm sure you're all busy landing commits ahead of the next merge
window.  Could you please take a look at this v3 when you have a
moment?  I believe I've addressed everything from previous reviews.

Thanks,
Guillaume

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nathan Chancellor]

Hi Guillaume,

On Fri, Jan 16, 2026 at 11:28:24AM +0100, Guillaume Tucker wrote:
> Hello,
> 
> On 31/12/2025 17:51, Guillaume Tucker wrote:
> > Changes in v3:
> > - Refactor common code for Docker and Podman
> > - Add docs.kernel.org URL in help message
> > - Use pathlib Python package
> > - Handle signals in parent process by default
> > - Add --shell option to use an interactive shell
> > - Tweak debug messages in verbose mode
> > - Specify Python 3.10 as minimum version in the docs
> > - Provide an example env file in the docs
> > - Update docs regarding interactive shell usage
> 
> I'm sure you're all busy landing commits ahead of the next merge
> window.  Could you please take a look at this v3 when you have a
> moment?  I believe I've addressed everything from previous reviews.

So sorry for the radio silence. I was going to try and look at this
today to give feedback before the weekend but I will not be able to look
at it until Monday. Given that this is self-contained (no pun intended)
with no regression risks, I would have no qualms with applying this late
in the development cycle.

Cheers,
Nathan

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

Hi Nathan,

On 16/01/2026 10:12 pm, Nathan Chancellor wrote:
> Hi Guillaume,
> 
> On Fri, Jan 16, 2026 at 11:28:24AM +0100, Guillaume Tucker wrote:
>> Hello,
>>
>> On 31/12/2025 17:51, Guillaume Tucker wrote:
>>> Changes in v3:
>>> - Refactor common code for Docker and Podman
>>> - Add docs.kernel.org URL in help message
>>> - Use pathlib Python package
>>> - Handle signals in parent process by default
>>> - Add --shell option to use an interactive shell
>>> - Tweak debug messages in verbose mode
>>> - Specify Python 3.10 as minimum version in the docs
>>> - Provide an example env file in the docs
>>> - Update docs regarding interactive shell usage
>>
>> I'm sure you're all busy landing commits ahead of the next merge
>> window.  Could you please take a look at this v3 when you have a
>> moment?  I believe I've addressed everything from previous reviews.
> 
> So sorry for the radio silence. I was going to try and look at this
> today to give feedback before the weekend but I will not be able to look
> at it until Monday. Given that this is self-contained (no pun intended)
> with no regression risks, I would have no qualms with applying this late
> in the development cycle.

Thanks for getting back to me, that's great.  I'll keep working on
some follow-up improvements in the meantime, regardless of the pace
of the review process.

Cheers,
Guillaume

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nathan Chancellor]

Hi Guillaume,

On Wed, Dec 31, 2025 at 05:51:48PM +0100, Guillaume Tucker wrote:
> This proposal emerged from discussions over email and after a talk at
> Plumbers 2024:
> 
>     https://lore.kernel.org/all/affb7aff-dc9b-4263-bbd4-a7965c19ac4e@gtucker.io/
> 
> The aim is to facilitate reproducing builds for CI bots as well as
> developers using containers.  Here's an illustrative example with a
> kernel.org toolchain in a Docker image from tuxmake:
> 
>     $ scripts/container -i tuxmake/korg-clang-21 make LLVM=1 defconfig
>       HOSTCC  scripts/basic/fixdep
>       HOSTCC  scripts/kconfig/conf.o
>     [...]
>       HOSTCC  scripts/kconfig/util.o
>       HOSTLD  scripts/kconfig/conf
>     *** Default configuration is based on 'x86_64_defconfig'
>     #
>     # configuration written to .config
>     #
> 
> This patch series also includes a documentation page with all the
> relevant details and further examples about how to use the tool.
> 
> To go one step further, I'm in the process of preparing reference
> container images with kernel.org toolchains and no third-party
> dependencies other than the base Debian distro.  See this thread for
> more details and options to host them in an upstream way:
> 
>     https://lore.kernel.org/all/cc737636-2a43-4a97-975e-4725733f7ee4@gtucker.io/
> 
> Say, to run KUnit using the latest kernel.org GCC toolchain:
> 
>     scripts/container --shell \
>         -i registry.gitlab.com/gtucker/korg-containers/gcc:kunit -- \
>         tools/testing/kunit/kunit.py \
>             run \
>             --arch=x86_64 \
>             --cross_compile=x86_64-linux-

I went over the script and the documentation and it looks pretty good to
me at this point. My only comment would be potentially referencing the
TuxMake container images in the example section to give folks a
"prebuilt" container option while getting the kernel.org container
images sorted out but that can always be done in a follow-up change.

I will apply this to kbuild-next-unstable shortly to give folks a week
or so to voice any objections or give critical review comments.

Cheers,
Nathan

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nathan Chancellor]

On Mon, Jan 19, 2026 at 02:35:16PM -0700, Nathan Chancellor wrote:
> I will apply this to kbuild-next-unstable shortly to give folks a week
> or so to voice any objections or give critical review comments.

During application, checkpatch.pl pointed out that this should have a
MAINTAINERS entry. Would you be opposed to the following?

CONTAINER BUILD SCRIPT
M:	Guillaume Tucker <gtucker@gtucker.io>
S:	Maintained
F:	Documentation/dev-tools/container.rst
F:	scripts/container

I will also add scripts/container to the kbuild entry. Now that I am
looking, it looks like Nicolas has been left out of this whole thread,
cc'ing him now (even though I assume he should have seen this through
linux-kbuild but just in case not, the top of the thread is
https://lore.kernel.org/cover.1767199119.git.gtucker@gtucker.io/).

Cheers,
Nathan

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

Hi Nathan,

On 19/01/2026 22:35, Nathan Chancellor wrote:
> I went over the script and the documentation and it looks pretty good to
> me at this point. My only comment would be potentially referencing the
> TuxMake container images in the example section to give folks a
> "prebuilt" container option while getting the kernel.org container
> images sorted out but that can always be done in a follow-up change.

Well the tuxmake LLVM image is mentioned in the first example:

    scripts/container -i tuxmake/korg-clang -- make LLVM=1 defconfig
    scripts/container -i tuxmake/korg-clang -- make LLVM=1 -j$(nproc)

So that should just work out of the box.  Or did you mean to add
something else to the docs?

But yes, the topic of available container images will be something to
expand upon once the tool starts getting used.  If things go well
with this initial version then we can try and move forward with
hosting first-party images as per the other discussion thread:

    https://lore.kernel.org/all/cc737636-2a43-4a97-975e-4725733f7ee4@gtucker.io/

> I will apply this to kbuild-next-unstable shortly to give folks a week
> or so to voice any objections or give critical review comments.

Sounds great, thanks!  I'll spread the word too once it's available
in linux-next.

Cheers,
Guillaume

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

On 19/01/2026 22:49, Nathan Chancellor wrote:
> On Mon, Jan 19, 2026 at 02:35:16PM -0700, Nathan Chancellor wrote:
>> I will apply this to kbuild-next-unstable shortly to give folks a week
>> or so to voice any objections or give critical review comments.
> 
> During application, checkpatch.pl pointed out that this should have a
> MAINTAINERS entry. Would you be opposed to the following?

Not at all, on the contrary I have some dedicated time and long-term
interest to keep maintaining this.  Please feel free to add me or I
can send an extra patch if you'd rather I did it.

> CONTAINER BUILD SCRIPT
> M:	Guillaume Tucker <gtucker@gtucker.io>
> S:	Maintained
> F:	Documentation/dev-tools/container.rst
> F:	scripts/container
> 
> I will also add scripts/container to the kbuild entry. Now that I am
> looking, it looks like Nicolas has been left out of this whole thread,
> cc'ing him now (even though I assume he should have seen this through
> linux-kbuild but just in case not, the top of the thread is
> https://lore.kernel.org/cover.1767199119.git.gtucker@gtucker.io/).

OK sounds good.  And sorry, get_maintainer.pl didn't mention Nicolas.
I should have checked the KERNEL BUILD entry by hand in the file...

Cheers,
Guillaume

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Nicolas Schier]

On Wed, Dec 31, 2025 at 05:51:50PM +0100, Guillaume Tucker wrote:
> Add a dev-tools/container.rst documentation page for the
> scripts/container tool.  This covers the basic usage with additional
> information about environment variables and user IDs.  It also
> includes a number of practical examples with a reference to the
> experimental kernel.org toolchain images.
> 
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: David Gow <davidgow@google.com>
> Cc: "Onur Özkan" <work@onurozkan.dev>
> Signed-off-by: Guillaume Tucker <gtucker@gtucker.io>
> ---
>  Documentation/dev-tools/container.rst | 201 ++++++++++++++++++++++++++
>  Documentation/dev-tools/index.rst     |   1 +
>  2 files changed, 202 insertions(+)
>  create mode 100644 Documentation/dev-tools/container.rst
> 
> diff --git a/Documentation/dev-tools/container.rst b/Documentation/dev-tools/container.rst
> new file mode 100644
> index 000000000000..f6f134ec09f5
> --- /dev/null
> +++ b/Documentation/dev-tools/container.rst
> @@ -0,0 +1,201 @@
> +.. SPDX-License-Identifier: GPL-2.0-only
> +.. Copyright (C) 2025 Guillaume Tucker
> +
> +====================
> +Containerized Builds
> +====================
> +
> +The ``container`` tool can be used to run any command in the kernel source tree
> +from within a container.  Doing so facilitates reproducing builds across
> +various platforms, for example when a test bot has reported an issue which
> +requires a specific version of a compiler or an external test suite.  While
> +this can already be done by users who are familiar with containers, having a
> +dedicated tool in the kernel tree lowers the barrier to entry by solving common
> +problems once and for all (e.g. user id management).  It also makes it easier
> +to share an exact command line leading to a particular result.  The main use
> +case is likely to be kernel builds but virtually anything can be run: KUnit,
> +checkpatch etc. provided a suitable image is available.
> +
> +
> +Options
> +=======
> +
> +Command line syntax::
> +
> +  scripts/container -i IMAGE [OPTION]... CMD...
> +
> +Available options:
> +
> +``-e, --env-file ENV_FILE``
> +
> +    Path to an environment file to load in the container.
> +
> +``-g, --gid GID``
> +
> +    Group id to use inside the container.
> +
> +``-i, --image IMAGE``
> +
> +    Container image name (required).
> +
> +``-r, --runtime RUNTIME``
> +
> +    Container runtime name.  Supported runtimes: ``docker``, ``podman``.
> +
> +    If not specified, the first one found on the system will be used
> +    i.e. Docker if present, otherwise Podman.
> +
> +``-s, --shell``
> +
> +    Run the container in an interactive shell.
> +
> +``-u, --uid UID``
> +
> +    User id to use inside the container.
> +
> +    If the ``-g`` option is not specified, the user id will also be used for
> +    the group id.
> +
> +``-v, --verbose``
> +
> +    Enable verbose output.
> +
> +``-h, --help``
> +
> +    Show the help message and exit.
> +
> +
> +Usage
> +=====
> +
> +It's entirely up to the user to choose which image to use and the ``CMD``
> +arguments are passed directly as an arbitrary command line to run in the
> +container.  The tool will take care of mounting the source tree as the current
> +working directory and adjust the user and group id as needed.
> +
> +The container image which would typically include a compiler toolchain is
> +provided by the user and selected via the ``-i`` option.  The container runtime
> +can be selected with the ``-r`` option, which can be either ``docker`` or
> +``podman``.  If none is specified, the first one found on the system will be
> +used.  Support for other runtimes may be added later depending on their
> +popularity among users.
> +
> +By default, commands are run non-interactively.  The user can abort a running
> +container with SIGINT (Ctrl-C).  To run commands interactively with a TTY, the
> +``--shell`` or ``-s`` option can be used.  Signals will then be received by the
> +shell directly rather than the parent ``container`` process.  To exit an
> +interactive shell, use Ctrl-D or ``exit``.
> +
> +.. note::
> +
> +   The only host requirement aside from a container runtime is Python 3.10 or
> +   later.
> +
> +
> +Environment Variables
> +=====================
> +
> +Environment variables are not propagated to the container so they have to be
> +either defined in the image itself or via the ``-e`` option using an
> +environment file.  In some cases it makes more sense to have them defined in
> +the Containerfile used to create the image.  For example, a Clang-only compiler
> +toolchain image may have ``LLVM=1`` defined.
> +
> +The local environment file is more useful for user-specific variables added
> +during development.  It is passed as-is to the container runtime so its format
> +may vary.  Typically, it will look like the output of ``env``.  For example::
> +
> +  INSTALL_MOD_STRIP=1
> +  SOME_RANDOM_TEXT=One upon a time
> +
> +Please also note that ``make`` options can still be passed on the command line,
> +so while this can't be done since the first argument needs to be the
> +executable::
> +
> +  scripts/container -i tuxmake/korg-clang LLVM=1 make
> +
> +this will work::
> +
> +  scripts/container -i tuxmake/korg-clang make LLVM=1

First of all: Thanks for all that work!


I probably have just read it over: I have to prefix the
'tuxmake/korg-clang' by 'docker.io/'.  Is that a problem of my system
configuration (Debian forky, no special podman config)?


> +
> +
> +User IDs
> +========
> +
> +This is an area where the behaviour will vary slightly depending on the
> +container runtime.  The goal is to run commands as the user invoking the tool.
> +With Podman, a namespace is created to map the current user id to a different
> +one in the container (1000 by default).  With Docker, while this is also
> +possible with recent versions it requires a special feature to be enabled in
> +the daemon so it's not used here for simplicity.  Instead, the container is run
> +with the current user id directly.  In both cases, this will provide the same
> +file permissions for the kernel source tree mounted as a volume.  The only
> +difference is that when using Docker without a namespace, the user id may not
> +be the same as the default one set in the image.
> +
> +Say, we're using an image which sets up a default user with id 1000 and the
> +current user calling the ``container`` tool has id 1234.  The kernel source
> +tree was checked out by this same user so the files belong to user 1234.  With
> +Podman, the container will be running as user id 1000 with a mapping to id 1234
> +so that the files from the mounted volume appear to belong to id 1000 inside
> +the container.  With Docker and no namespace, the container will be running
> +with user id 1234 which can access the files in the volume but not in the user
> +1000 home directory.  This shouldn't be an issue when running commands only in
> +the kernel tree but it is worth highlighting here as it might matter for
> +special corner cases.

I tested a tiny bit with podman as runtime backend.  If I leave out the
'-r podman' podman's docker emulation is in effect and fails with:

    $ scripts/container -i docker.io/tuxmake/korg-clang -- make LLVM=1 -j8 olddefconfig
    Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
    mkdir: cannot create directory '.tmp_15': Permission denied
    mkdir: cannot create directory '.tmp_19': Permission denied
    mkdir: cannot create directory '.tmp_22': Permission denied
    mkdir: cannot create directory '.tmp_25': Permission denied
    mkdir: cannot create directory '.tmp_28': Permission denied
    mkdir: cannot create directory '.tmp_31': Permission denied
      HOSTCC  scripts/basic/fixdep
    error: error opening 'scripts/basic/.fixdep.d': Permission denied
    1 error generated.
    make[2]: *** [scripts/Makefile.host:114: scripts/basic/fixdep] Error 1
    make[1]: *** [/src/Makefile:655: scripts_basic] Error 2
    make: *** [Makefile:248: __sub-make] Error 2
    [exit code 2]

But with '-r podman' it works like a charm.

Would it make sense to switch the default runtime to podman to
prevent non-functional podman-docker emulation?  (Or is this just a
problem on my machine?)

-- 
Nicolas

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nicolas Schier]

On Wed, Dec 31, 2025 at 05:51:48PM +0100, Guillaume Tucker wrote:
> This proposal emerged from discussions over email and after a talk at
> Plumbers 2024:
> 
>     https://lore.kernel.org/all/affb7aff-dc9b-4263-bbd4-a7965c19ac4e@gtucker.io/
> 
> The aim is to facilitate reproducing builds for CI bots as well as
> developers using containers.  Here's an illustrative example with a
> kernel.org toolchain in a Docker image from tuxmake:
> 
>     $ scripts/container -i tuxmake/korg-clang-21 make LLVM=1 defconfig
>       HOSTCC  scripts/basic/fixdep
>       HOSTCC  scripts/kconfig/conf.o
>     [...]
>       HOSTCC  scripts/kconfig/util.o
>       HOSTLD  scripts/kconfig/conf
>     *** Default configuration is based on 'x86_64_defconfig'
>     #
>     # configuration written to .config
>     #
> 
> This patch series also includes a documentation page with all the
> relevant details and further examples about how to use the tool.
> 
> To go one step further, I'm in the process of preparing reference
> container images with kernel.org toolchains and no third-party
> dependencies other than the base Debian distro.  See this thread for
> more details and options to host them in an upstream way:
> 
>     https://lore.kernel.org/all/cc737636-2a43-4a97-975e-4725733f7ee4@gtucker.io/
> 
> Say, to run KUnit using the latest kernel.org GCC toolchain:
> 
>     scripts/container --shell \
>         -i registry.gitlab.com/gtucker/korg-containers/gcc:kunit -- \
>         tools/testing/kunit/kunit.py \
>             run \
>             --arch=x86_64 \
>             --cross_compile=x86_64-linux-
> 
> ---
> Changes in v3:
> - Refactor common code for Docker and Podman
> - Add docs.kernel.org URL in help message
> - Use pathlib Python package
> - Handle signals in parent process by default
> - Add --shell option to use an interactive shell
> - Tweak debug messages in verbose mode
> - Specify Python 3.10 as minimum version in the docs
> - Provide an example env file in the docs
> - Update docs regarding interactive shell usage
> 
> Changes in v2:
> - Drop default image but make -i option required
> - Look for Docker and Podman if no runtime specified
> - Catch SIGINT from user to abort container with Docker
> - Explicitly name each container with a UUID
> - Update documentation accordingly
> 
> ---
> 
> Guillaume Tucker (2):
>   scripts: add tool to run containerized builds
>   Documentation: dev-tools: add container.rst page
> 
>  Documentation/dev-tools/container.rst | 201 ++++++++++++++++++++++++++
>  Documentation/dev-tools/index.rst     |   1 +
>  scripts/container                     | 199 +++++++++++++++++++++++++
>  3 files changed, 401 insertions(+)
>  create mode 100644 Documentation/dev-tools/container.rst
>  create mode 100755 scripts/container
> 
> -- 
> 2.47.3
> 
> 

Out-of-source builds do not work on my system with podman.  If this is
expected, I think it would be great to mention that somewhere in the
documentation.


Nevertheless, thanks a lot!  I expect me to use that a lot in the
future!

For the whole patch set:
Tested-by: Nicolas Schier <nsc@kernel.org>
Acked-by: Nicolas Schier <nsc@kernel.org>

Kind regards,
Nicolas


-- 
Nicolas

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nathan Chancellor]

On Tue, Jan 20, 2026 at 10:46:15AM +0100, Guillaume Tucker wrote:
> Well the tuxmake LLVM image is mentioned in the first example:
> 
>     scripts/container -i tuxmake/korg-clang -- make LLVM=1 defconfig
>     scripts/container -i tuxmake/korg-clang -- make LLVM=1 -j$(nproc)
> 
> So that should just work out of the box.  Or did you mean to add
> something else to the docs?

I was just envisioning a blurb like "Additionally, TuxMake has prebuilt
containers for various architectures: https://hub.docker.com/u/tuxmake"
or something like that at the end of the paragraph before "To build just
``bzImage`` using Clang::" in the documentation.

> But yes, the topic of available container images will be something to
> expand upon once the tool starts getting used.  If things go well
> with this initial version then we can try and move forward with
> hosting first-party images as per the other discussion thread:
> 
>     https://lore.kernel.org/all/cc737636-2a43-4a97-975e-4725733f7ee4@gtucker.io/

Yeah hopefully usage of this tool will spur some movement on that
discussion thread.

Cheers,
Nathan

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nathan Chancellor]

On Tue, Jan 20, 2026 at 10:56:46AM +0100, Guillaume Tucker wrote:
> Not at all, on the contrary I have some dedicated time and long-term
> interest to keep maintaining this.  Please feel free to add me or I
> can send an extra patch if you'd rather I did it.

I can fold that into the two changes in a natural way.

> OK sounds good.  And sorry, get_maintainer.pl didn't mention Nicolas.
> I should have checked the KERNEL BUILD entry by hand in the file...

No worries, I am sure there are quite a few scripts that we technically
own but do not have an entry for it in MAINTAINERS. This won't be a
problem going forward at least :)

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nathan Chancellor]

On Tue, Jan 20, 2026 at 02:54:47PM +0100, Nicolas Schier wrote:
> Out-of-source builds do not work on my system with podman.  If this is
> expected, I think it would be great to mention that somewhere in the
> documentation.

Yeah, that is expected for this revision of the script, I brought that
up in a previous review:

https://lore.kernel.org/20251219194748.GA1404325@ax162/

Cheers,
Nathan

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Nathan Chancellor]

On Tue, Jan 20, 2026 at 02:53:33PM +0100, Nicolas Schier wrote:
> I probably have just read it over: I have to prefix the
> 'tuxmake/korg-clang' by 'docker.io/'.  Is that a problem of my system
> configuration (Debian forky, no special podman config)?

Some distributions ship registries.conf [1] to allow unqualified image
names but I do not think Debian does. Personally, I use the full name
regardless but it should be easy to create it for commands such as these
to work. I use:

unqualified-search-registries = ['docker.io', 'ghcr.io', 'quay.io']

[1]: https://podman.io/docs/installation#registriesconf

> I tested a tiny bit with podman as runtime backend.  If I leave out the
> '-r podman' podman's docker emulation is in effect and fails with:
> 
>     $ scripts/container -i docker.io/tuxmake/korg-clang -- make LLVM=1 -j8 olddefconfig
>     Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
>     mkdir: cannot create directory '.tmp_15': Permission denied
>     mkdir: cannot create directory '.tmp_19': Permission denied
>     mkdir: cannot create directory '.tmp_22': Permission denied
>     mkdir: cannot create directory '.tmp_25': Permission denied
>     mkdir: cannot create directory '.tmp_28': Permission denied
>     mkdir: cannot create directory '.tmp_31': Permission denied
>       HOSTCC  scripts/basic/fixdep
>     error: error opening 'scripts/basic/.fixdep.d': Permission denied
>     1 error generated.
>     make[2]: *** [scripts/Makefile.host:114: scripts/basic/fixdep] Error 1
>     make[1]: *** [/src/Makefile:655: scripts_basic] Error 2
>     make: *** [Makefile:248: __sub-make] Error 2
>     [exit code 2]
> 
> But with '-r podman' it works like a charm.
> 
> Would it make sense to switch the default runtime to podman to
> prevent non-functional podman-docker emulation?  (Or is this just a
> problem on my machine?)

Yeah, I think it would be better to prefer podman over docker if both
existed on the system. Something like this should do that?

diff --git a/scripts/container b/scripts/container
index dbe92630f05b..50c4ae851001 100755
--- a/scripts/container
+++ b/scripts/container
@@ -105,7 +105,7 @@ class PodmanRuntime(CommonRuntime):
 class Runtimes:
     """List of all supported runtimes"""
 
-    runtimes = [DockerRuntime, PodmanRuntime]
+    runtimes = [PodmanRuntime, DockerRuntime]
 
     @classmethod
     def get_names(cls):

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Nathan Chancellor]

Actually sending to Nicolas now :) sorry for the noise!

https://lore.kernel.org/linux-kbuild/20260120183550.GD2749368@ax162/

On Tue, Jan 20, 2026 at 11:35:50AM -0700, Nathan Chancellor wrote:
> On Tue, Jan 20, 2026 at 02:53:33PM +0100, Nicolas Schier wrote:
> > I probably have just read it over: I have to prefix the
> > 'tuxmake/korg-clang' by 'docker.io/'.  Is that a problem of my system
> > configuration (Debian forky, no special podman config)?
> 
> Some distributions ship registries.conf [1] to allow unqualified image
> names but I do not think Debian does. Personally, I use the full name
> regardless but it should be easy to create it for commands such as these
> to work. I use:
> 
> unqualified-search-registries = ['docker.io', 'ghcr.io', 'quay.io']
> 
> [1]: https://podman.io/docs/installation#registriesconf
> 
> > I tested a tiny bit with podman as runtime backend.  If I leave out the
> > '-r podman' podman's docker emulation is in effect and fails with:
> > 
> >     $ scripts/container -i docker.io/tuxmake/korg-clang -- make LLVM=1 -j8 olddefconfig
> >     Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
> >     mkdir: cannot create directory '.tmp_15': Permission denied
> >     mkdir: cannot create directory '.tmp_19': Permission denied
> >     mkdir: cannot create directory '.tmp_22': Permission denied
> >     mkdir: cannot create directory '.tmp_25': Permission denied
> >     mkdir: cannot create directory '.tmp_28': Permission denied
> >     mkdir: cannot create directory '.tmp_31': Permission denied
> >       HOSTCC  scripts/basic/fixdep
> >     error: error opening 'scripts/basic/.fixdep.d': Permission denied
> >     1 error generated.
> >     make[2]: *** [scripts/Makefile.host:114: scripts/basic/fixdep] Error 1
> >     make[1]: *** [/src/Makefile:655: scripts_basic] Error 2
> >     make: *** [Makefile:248: __sub-make] Error 2
> >     [exit code 2]
> > 
> > But with '-r podman' it works like a charm.
> > 
> > Would it make sense to switch the default runtime to podman to
> > prevent non-functional podman-docker emulation?  (Or is this just a
> > problem on my machine?)
> 
> Yeah, I think it would be better to prefer podman over docker if both
> existed on the system. Something like this should do that?
> 
> diff --git a/scripts/container b/scripts/container
> index dbe92630f05b..50c4ae851001 100755
> --- a/scripts/container
> +++ b/scripts/container
> @@ -105,7 +105,7 @@ class PodmanRuntime(CommonRuntime):
>  class Runtimes:
>      """List of all supported runtimes"""
>  
> -    runtimes = [DockerRuntime, PodmanRuntime]
> +    runtimes = [PodmanRuntime, DockerRuntime]
>  
>      @classmethod
>      def get_names(cls):
> 

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Guillaume Tucker]

On 20/01/2026 7:35 pm, Nathan Chancellor wrote:
> On Tue, Jan 20, 2026 at 02:53:33PM +0100, Nicolas Schier wrote:
>> I probably have just read it over: I have to prefix the
>> 'tuxmake/korg-clang' by 'docker.io/'.  Is that a problem of my system
>> configuration (Debian forky, no special podman config)?
> 
> Some distributions ship registries.conf [1] to allow unqualified image
> names but I do not think Debian does. Personally, I use the full name
> regardless but it should be easy to create it for commands such as these
> to work. I use:
> 
> unqualified-search-registries = ['docker.io', 'ghcr.io', 'quay.io']
> 
> [1]: https://podman.io/docs/installation#registriesconf

And this is not directly related to the scripts/container tool as it
just passes the image name as-is.  Maybe the example in the docs
should explicitly use docker.io/ though.

>> I tested a tiny bit with podman as runtime backend.  If I leave out the
>> '-r podman' podman's docker emulation is in effect and fails with:
>>
>>      $ scripts/container -i docker.io/tuxmake/korg-clang -- make LLVM=1 -j8 olddefconfig
>>      Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
>>      mkdir: cannot create directory '.tmp_15': Permission denied
>>      mkdir: cannot create directory '.tmp_19': Permission denied
>>      mkdir: cannot create directory '.tmp_22': Permission denied
>>      mkdir: cannot create directory '.tmp_25': Permission denied
>>      mkdir: cannot create directory '.tmp_28': Permission denied
>>      mkdir: cannot create directory '.tmp_31': Permission denied
>>        HOSTCC  scripts/basic/fixdep
>>      error: error opening 'scripts/basic/.fixdep.d': Permission denied
>>      1 error generated.
>>      make[2]: *** [scripts/Makefile.host:114: scripts/basic/fixdep] Error 1
>>      make[1]: *** [/src/Makefile:655: scripts_basic] Error 2
>>      make: *** [Makefile:248: __sub-make] Error 2
>>      [exit code 2]
>>
>> But with '-r podman' it works like a charm.
>>
>> Would it make sense to switch the default runtime to podman to
>> prevent non-functional podman-docker emulation?  (Or is this just a
>> problem on my machine?)
> 
> Yeah, I think it would be better to prefer podman over docker if both
> existed on the system. Something like this should do that?
> 
> diff --git a/scripts/container b/scripts/container
> index dbe92630f05b..50c4ae851001 100755
> --- a/scripts/container
> +++ b/scripts/container
> @@ -105,7 +105,7 @@ class PodmanRuntime(CommonRuntime):
>   class Runtimes:
>       """List of all supported runtimes"""
>   
> -    runtimes = [DockerRuntime, PodmanRuntime]
> +    runtimes = [PodmanRuntime, DockerRuntime]
>   
>       @classmethod
>       def get_names(cls):

Yes this should do the trick, although the help message and docs
would need to be updated too.

A better way still would be to make it able to distinguish between
actual Docker and docker-compatible Podman (e.g. if it's just a
symlink) so it's not just down to luck.  This may be added to the
list of potential improvements.

Feel free to make these tweaks now, or we might wait a bit to see if
others have more feedback with further changes and I can send a v4.

Cheers,
Guillaume

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

Hi Nicolas,

On 20/01/2026 2:54 pm, Nicolas Schier wrote:
> Out-of-source builds do not work on my system with podman.  If this is
> expected, I think it would be great to mention that somewhere in the
> documentation.

Yes, as discussed with Nathan.  So here's the list of potential
improvements gathered so far:

* automatically pick Podman first, Docker second
* explicitly mention docker.io registry in examples
* mention TuxMake available images more explicitly in the docs
* mention that out-of-tree builds aren't supported yet
* distinguish true Docker from Docker-compatible Podman
* add support for out-of-tree output build directory
* add option for mounting source tree from arbitrary path
   (needed for nested containers e.g. Docker-in-Docker)
* detect when Docker has namespace support enabled and document
* add user config file with default images and runtime etc.

Then beyond that we could consider other container runtimes such as
containerd, lxc, runc or whatever works in practice.

> Nevertheless, thanks a lot!  I expect me to use that a lot in the
> future!
> 
> For the whole patch set:
> Tested-by: Nicolas Schier<nsc@kernel.org>
> Acked-by: Nicolas Schier<nsc@kernel.org>

Thank you!  Let's hope others will find it useful too.

Cheers,
Guillaume

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Nathan Chancellor]

On Wed, Jan 21, 2026 at 10:55:53AM +0100, Guillaume Tucker wrote:
> Feel free to make these tweaks now, or we might wait a bit to see if
> others have more feedback with further changes and I can send a v4.

How about this? Send a v4 with:

1. An initial MAINTAINERS entry addition in patch 1 for
   scripts/container like I suggested earlier and scripts/container
   explicitly added to the KERNEL BUILD section so that Nicolas and I
   are included for handling patches.

2. Add the Documentation to the aforementioned MAINTAINERS entry as part
   of patch 2.

3. Either encorporate my suggested change for preferring podman over
   docker with the appropriate changes elsewhere inte the patch set like
   you mentioned or explore checking for the docker alias explicitly.
   Entirely up to you timewise, as long as it results in Nicolas's
   environment working, since I don't think that will be too uncommon.

4. Encorporate any other feedback that you feel is appropriate at this
   stage (if there is any low hanging fruit).

Then we can apply it so that folks can start using it in -next for
testing and validation. After that, you can start thinking of things you
would want to work on for future merge windows from the list you already
started, as I know how that goes when working on a new tool :)

Cheers,
Nathan

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Guillaume Tucker]

Hi Nicolas,

On 20/01/2026 2:53 pm, Nicolas Schier wrote:
>> +User IDs
>> +========
>> +
>> +This is an area where the behaviour will vary slightly depending on the
>> +container runtime.  The goal is to run commands as the user invoking the tool.
>> +With Podman, a namespace is created to map the current user id to a different
>> +one in the container (1000 by default).  With Docker, while this is also
>> +possible with recent versions it requires a special feature to be enabled in
>> +the daemon so it's not used here for simplicity.  Instead, the container is run
>> +with the current user id directly.  In both cases, this will provide the same
>> +file permissions for the kernel source tree mounted as a volume.  The only
>> +difference is that when using Docker without a namespace, the user id may not
>> +be the same as the default one set in the image.
>> +
>> +Say, we're using an image which sets up a default user with id 1000 and the
>> +current user calling the ``container`` tool has id 1234.  The kernel source
>> +tree was checked out by this same user so the files belong to user 1234.  With
>> +Podman, the container will be running as user id 1000 with a mapping to id 1234
>> +so that the files from the mounted volume appear to belong to id 1000 inside
>> +the container.  With Docker and no namespace, the container will be running
>> +with user id 1234 which can access the files in the volume but not in the user
>> +1000 home directory.  This shouldn't be an issue when running commands only in
>> +the kernel tree but it is worth highlighting here as it might matter for
>> +special corner cases.
> I tested a tiny bit with podman as runtime backend.  If I leave out the
> '-r podman' podman's docker emulation is in effect and fails with:
> 
>      $ scripts/container -i docker.io/tuxmake/korg-clang -- make LLVM=1 -j8 olddefconfig
>      Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
>      mkdir: cannot create directory '.tmp_15': Permission denied
>      mkdir: cannot create directory '.tmp_19': Permission denied
>      mkdir: cannot create directory '.tmp_22': Permission denied
>      mkdir: cannot create directory '.tmp_25': Permission denied
>      mkdir: cannot create directory '.tmp_28': Permission denied
>      mkdir: cannot create directory '.tmp_31': Permission denied
>        HOSTCC  scripts/basic/fixdep
>      error: error opening 'scripts/basic/.fixdep.d': Permission denied
>      1 error generated.
>      make[2]: *** [scripts/Makefile.host:114: scripts/basic/fixdep] Error 1
>      make[1]: *** [/src/Makefile:655: scripts_basic] Error 2
>      make: *** [Makefile:248: __sub-make] Error 2
>      [exit code 2]
> 
> But with '-r podman' it works like a charm.
> 
> Would it make sense to switch the default runtime to podman to
> prevent non-functional podman-docker emulation?  (Or is this just a
> problem on my machine?)

Yes, I just had a quick look as I'm not familiar with the setup to
run Docker commands on top of the Podman backend.  So I'll swap the
order like Nathan suggested so that Podman takes priority over Docker
and add a note to the docs.  It's on the list of improvements and
I'll work on a proper fix once the initial version of the tool has
landed, assuming this is not a blocking issue.

Thanks for trying it out and reporting this use case.

Cheers,
Guillaume

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

Hi Nicolas,

On 20/01/2026 14:54, Nicolas Schier wrote:
> Out-of-source builds do not work on my system with podman.  If this is
> expected, I think it would be great to mention that somewhere in the
> documentation.

The v4 now mentions this and also includes a trick using bind-mount:

  mkdir -p $HOME/tmp/my-kernel-build
  mkdir -p build
  sudo mount --bind $HOME/tmp/my-kernel-build build
  scripts/container -i kernel.org/gcc -- make mrproper
  scripts/container -i kernel.org/gcc -- make O=build defconfig
  scripts/container -i kernel.org/gcc -- make O=build -j$(nproc)

Would this work for your use-case?  Directory names are entirely
arbitrary.  It's not ideal but might be good enough as a workaround
until this gets properly supported by the tool in a future version.

Cheers,
Guillaume

Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

[Guillaume Tucker]

Hi Nathan,

On 22/01/2026 05:55, Nathan Chancellor wrote:
> On Wed, Jan 21, 2026 at 10:55:53AM +0100, Guillaume Tucker wrote:
>> Feel free to make these tweaks now, or we might wait a bit to see if
>> others have more feedback with further changes and I can send a v4.
> 
> How about this? Send a v4 with:
> 
> 1. An initial MAINTAINERS entry addition in patch 1 for
>    scripts/container like I suggested earlier and scripts/container
>    explicitly added to the KERNEL BUILD section so that Nicolas and I
>    are included for handling patches.
> 
> 2. Add the Documentation to the aforementioned MAINTAINERS entry as part
>    of patch 2.
> 
> 3. Either encorporate my suggested change for preferring podman over
>    docker with the appropriate changes elsewhere inte the patch set like
>    you mentioned or explore checking for the docker alias explicitly.
>    Entirely up to you timewise, as long as it results in Nicolas's
>    environment working, since I don't think that will be too uncommon.
> 
> 4. Encorporate any other feedback that you feel is appropriate at this
>    stage (if there is any low hanging fruit).

Sounds great, I just sent a v4 as described above.  I've kept any
extra features out for now to avoid introducing new issues and added
a workaround for out-of-tree builds in the docs.  Hopefully this will
solve Nicolas' use cases and work for others too.

> Then we can apply it so that folks can start using it in -next for
> testing and validation. After that, you can start thinking of things you
> would want to work on for future merge windows from the list you already
> started, as I know how that goes when working on a new tool :)

Thanks again for all the reviews, it'll be good to see what people
make of it!  Meanwhile I'll keep working on further improvements,
starting with the limitations mentioned in the docs.

Cheers,
Guillaume

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Nicolas Schier]

On Thu, Jan 22, 2026 at 03:12:36PM +0100, Guillaume Tucker wrote:
> Hi Nicolas,
> 
> On 20/01/2026 14:54, Nicolas Schier wrote:
> > Out-of-source builds do not work on my system with podman.  If this is
> > expected, I think it would be great to mention that somewhere in the
> > documentation.
> 
> The v4 now mentions this and also includes a trick using bind-mount:
> 
>   mkdir -p $HOME/tmp/my-kernel-build
>   mkdir -p build
>   sudo mount --bind $HOME/tmp/my-kernel-build build
>   scripts/container -i kernel.org/gcc -- make mrproper
>   scripts/container -i kernel.org/gcc -- make O=build defconfig
>   scripts/container -i kernel.org/gcc -- make O=build -j$(nproc)
> 
> Would this work for your use-case?  Directory names are entirely
> arbitrary.  It's not ideal but might be good enough as a workaround
> until this gets properly supported by the tool in a future version.

sorry for the long delay.  Yes, thanks for the follow-up!

Kind regards,
Nicolas

Re: [PATCH v3 0/2] scripts: introduce containerized builds

[Guillaume Tucker]

Hi Nicolas,

On 27/01/2026 9:13 pm, Nicolas Schier wrote:
> On Thu, Jan 22, 2026 at 03:12:36PM +0100, Guillaume Tucker wrote:
>> Hi Nicolas,
>>
>> On 20/01/2026 14:54, Nicolas Schier wrote:
>>> Out-of-source builds do not work on my system with podman.  If this is
>>> expected, I think it would be great to mention that somewhere in the
>>> documentation.
>>
>> The v4 now mentions this and also includes a trick using bind-mount:
>>
>>    mkdir -p $HOME/tmp/my-kernel-build
>>    mkdir -p build
>>    sudo mount --bind $HOME/tmp/my-kernel-build build
>>    scripts/container -i kernel.org/gcc -- make mrproper
>>    scripts/container -i kernel.org/gcc -- make O=build defconfig
>>    scripts/container -i kernel.org/gcc -- make O=build -j$(nproc)
>>
>> Would this work for your use-case?  Directory names are entirely
>> arbitrary.  It's not ideal but might be good enough as a workaround
>> until this gets properly supported by the tool in a future version.
> 
> sorry for the long delay.  Yes, thanks for the follow-up!

Great!  Thank you for confirming.  It's now in linux-next.

Cheers,
Guillaume