From 4e1ccdbb1a5867f16ed5e233450d5a6212d4ea68 Mon Sep 17 00:00:00 2001
From: veilor <veilor@localhost>
Date: Thu, 30 Apr 2026 04:16:07 +0100
Subject: [PATCH] =?UTF-8?q?build:=20switch=20ISO=20run=20to=20rootful=20po?=
 =?UTF-8?q?dman=20=E2=80=94=20rootless=20can't=20losetup=20(host=20CAP=5FS?=
 =?UTF-8?q?YS=5FADMIN=20rejection)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 build/build-iso.sh | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/build/build-iso.sh b/build/build-iso.sh
index cb3c564..a430efc 100755
--- a/build/build-iso.sh
+++ b/build/build-iso.sh
@@ -19,12 +19,23 @@ if command -v ksvalidator &>/dev/null; then
     ksvalidator "$KS"
 fi
 
-# ── Build container ──
+# ── Build container (rootless OK) ──
 podman build -t veilor-build:latest "$REPO_ROOT/build"
 
-# ── Build ISO ──
-# --make-iso requires --privileged (loop devices, mount).
-podman run --rm --privileged \
+# ── Build ISO (rootful — losetup + mount need real CAP_SYS_ADMIN) ──
+# rootless podman can't create loop devices even with --privileged because the
+# host kernel rejects CAP_SYS_ADMIN from a user namespace.
+SUDO=""
+if [[ $EUID -ne 0 ]]; then
+    SUDO="sudo"
+    echo "[INFO] Running ISO build under sudo (loop devices require root)"
+fi
+
+# Make rootful podman see the rootless-built image
+$SUDO podman load -i <(podman save veilor-build:latest) 2>/dev/null || \
+    $SUDO podman build -t veilor-build:latest "$REPO_ROOT/build"
+
+$SUDO podman run --rm --privileged \
     --security-opt label=disable \
     -v /dev:/dev \
     -v "$REPO_ROOT:/work" \