experimental support for rootless mode #2006
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2006 +/- ##
==========================================
+ Coverage 45% 45.18% +0.17%
==========================================
Files 92 95 +3
Lines 9412 9481 +69
==========================================
+ Hits 4236 4284 +48
- Misses 4493 4512 +19
- Partials 683 685 +2
Continue to review full report at Codecov.
|
oci/spec_opts_unix.go
Outdated
| func WithRootless(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error { | ||
| specconv.ToRootless(s) | ||
| // without removing CgroupsPath, runc fails: | ||
| // "process_linux.go:279: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/default: permission denied\"" |
|
Lets wait for the other dependent PRs to be merged first before force vendoring code that does not exist in mainline projects. It's just temping errors from merging if people don't pay attention. Only open PRs when they can be reviewed and are actionable or else they just sit and add more to our PR list when we cannot do anything with it. |
|
@AkihiroSuda Is there an issue for this capturing the main blockers for rootless? I think there may be some others, such as how snapshotters are handled and security around that. |
The only blocker I see for this PR is opencontainers/runc#1688 , which is required for allowing unprivileged users to mount filesystems using mountns+userns. I think we can reopen and merge this PR when opencontainers/runc#1688 gets merged. Other issues / PRs are only required for advanced usecase such as running
Overlay snapshotter works in unprivileged userns in Ubuntu, but not in other distros: (Ubuntu kernel patch) So I'd suggest using the naive snapshotter for rootless mode. |
|
Reopened PR. (Thank you @crosbymichael for merging opencontainers/runc#1688) |
|
CI failure will be fixed via opencontainers/runc#1808 |
|
@AkihiroSuda merged the fix in 1808 |
abc411e to
079266c
Compare
|
weird CI failure, but seems unrelated |
|
rebased |
runtime/linux/proc/process.go
Outdated
There was a problem hiding this comment.
Can we run this in Init() to prevent it from needing to be checked every time. My understanding is this won't change during the lifetime of the daemon.
|
addressed @dmcgowan 's comment |
10dabc1 to
1cf60bc
Compare
|
Refactored as in moby/buildkit#479 and in moby/buildkit#486 |
3d98d8d to
f62396a
Compare
7a0311a to
86b4941
Compare
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
|
will reopen and rebase when opencontainers/runc#1862 gets merged |
|
Hey @AkihiroSuda! |
| } | ||
| app.Action = func(context *cli.Context) error { | ||
| if runtime.GOOS == "linux" && os.Geteuid() != 0 { | ||
| return errors.New("rootless mode requires the daemon to be executed as the mapped root in a user namespace") |
There was a problem hiding this comment.
yes that's the one.
I mean we removed it because we didn't need to enforce it for our rootless case. It may be necessary for other use cases, but for us we didn't need to start the server in a new ns, or use oci.WithRootless() in our client.
There was a problem hiding this comment.
Sure, I'll rebase and remove the check from this PR when
opencontainers/runc#1862 gets merged.
There was a problem hiding this comment.
hey @AkihiroSuda
just sharing with you all the hacky changes we made to your pr branch. i've added some notes to explain things but ping me with any questions. using these changes based on your pr, garden was able to use containerd as a non-priv user (for basic create/exec/delete lifecycle, other things may yet fall out).
masters-of-cats@242e830
:)
There was a problem hiding this comment.
Thanks, will look into 👍
(off-topic: Is your ContainerCamp slide deck available online?)
There was a problem hiding this comment.
the slides should be made available by the organisers when they publish the videos... i think.
or i can just share the slides (they are in google drive) using the email on your profile
edit: or i will just make them public. nothing secret or special about them anyway :)
There was a problem hiding this comment.
thanks, could you send me the link to the slides if you don't mind 🙏
|
refreshed PR as #2766 |
Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp
The changes are mostly for setting up default paths under
$HOMEand providing rootless OCI spec generator.Substantially no change on the daemon.
Rootless mode (Experimental)
Requirements:
echo 1 > /proc/sys/kernel/unprivileged_userns_clonenewuidmapandnewgidmapneed to be installed on the host. These commands are provided by theuidmappackage on most distros./etc/subuidand/etc/subgidshould contain >= 65536 sub-IDs. e.g.penguin:231072:65536.USER,docker run --privilegedis still required. See also Jessie's blog: https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/Daemon-side remarks:
/home/$USER/.local/share/containerdby default./run/user/$UID/containerd/containerd.sockby default.overlayfssnapshotter is not supported except on Ubuntu-flavored kernel.nativesnapshotter should work on non-Ubuntu kernel.Go client library remarks:
oci.WithRootless()removes Cgroups configuration. However, you can still set Cgroups configurations after callingoci.WithRootless(), if the permission bits are preconfigured on cgroup filesystems.Network namespace remarks:
Usage
Terminal 1:
Unsharing mountns (and userns) is required for mounting filesystems without real root privileges.
Terminal 2:
Terminal 1:
Terminal 2:
Usage (RootlessKit)
RootlessKit can be used for executing
unshareandnewuidmap/newgidmapat once.RootlessKit also supports unsharing the network namespace with usermode NAT such as VPNKit
and libvdeplug_slirp.
Terminal 1:
The following example is tested with RootlessKit
20b0fc24b305b031a61ef1a1ca456aadafaf5e77.Terminal 2: