Hi all,

in case you didn't read about this already:

https://www.collabora.com/news-and-blog/blog/2018/06/27/introducing-debos/

It uses its own KVM-based tool to perform the image build unprivileged:
https://github.com/go-debos/fakemachine
https://tracker.debian.org/pkg/golang-github-go-debos-fakemachine

Not sure yet if that might be an option for us as well. Not all docker
containers, thus CI targets, may have KVM access permissions.

Jan