Replies: 4 comments 10 replies
-
I just came across the (archived) https://github.com/rootless-containers/runrootless project and the README there mentions the exact same issues with Finally, I'm wondering what rootless Podman & Docker do differently to get things to work? My apologies for very likely asking dumb questions here! As you can tell I'm relatively new to the topic of how containers work under the hood and I've already spent hours trying to research my questions – without really getting anywhere. |
Beta Was this translation helpful? Give feedback.
-
This has to be false for |
Beta Was this translation helpful? Give feedback.
-
So, there are a couple of issues here:
Making those two changes makes your examples work on my machine. However, there are a few other issues you might run into, so I'll list them here:
When I first implemented rootless containers for runc, the intention was to allow you to run containers on a system where you have no administrative permissions at all and cannot use any setuid helpers. On Linux, this means you can only map a single user in a user namespace. Since we later added the ability to use setuid helpers, I used "fully rootless" to refer to the original model where there is only a single user mapped.
They map enough IDs and include the necessary capabilities, which should be sufficient to fix most of the issues you're running into. |
Beta Was this translation helpful? Give feedback.
-
@cyphar Once again thank you for helping me! I just returned from my vacation and followed your suggestions:
Moreover, I added a few more capabilities to enable usage of chown/chmod/ping inside the container, and bind-mounted /etc/resolv.conf while removing the "network" namespace, so as to allow processes inside the container to access the internet & my local DNS resolver.) Here is the resulting config.json. At this point, After a while,
With these two changes,
Do you happen to have an idea what this could be about? |
Beta Was this translation helpful? Give feedback.
-
Hi there!
I'm dabbling with runc in order to understand rootless container internals a bit better and, in particular, how to nest them. However, even before nesting them I'm struggling to switch to a non-root user inside a container I started with runc.
For the record, rootless Podman works fine on my machine and even nesting rootless Podman containers works (
podman run --user podman quay.io/podman/stable podman run --user podman quay.io/podman/stable whoami
etc.), which leads to me to believe I either messed up my OCI bundle's config.json, its rootfs (its file permissions) or both. But let me start from the beginning:I use Podman to create a rootfs from the following Dockerfile:
To create the rootfs I run:
I also create the following auxiliary folders in the same working dir:
Then inside that working directory I create a config.json with the contents below. It is a modified default config (
runc spec --rootless
), where I modified the rootfs (made it an overlayfs), and adjusted the uidMappings/gidMappings, the working directory, default command/shell, and additionally mounted the ro-rootfs from above as "external volume" under/home/user/ro-rootfs
(again, the idea was to nest containers later):Then I start my container using
runc run mytestcontainer
. So far, so good. Unfortunately, when I runsu user
inside my container I get:Similarly, when trying
apt update
:Meanwhile, setting
process.user.(uid|gid)
in config.json to UID/GID 1000 directly leads torunc run mytestcontainer
failing right from the start.What gives?
A couple things I double-checked:
su
binary in my container has the setuid bit set:/etc/passwd
,/etc/group
,/etc/shadow
inside the container look as expected:/tmp
(under which I create the rootfs/bundle) is not mounted as tmpfs (i.e. not mounted with noexec or nosuid, either).df /tmp
outputs my root partition.I'm really at a loss here and would very much appreciate any pointers! Thanks so much!
Beta Was this translation helpful? Give feedback.
All reactions