forked from moby/buildkit
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
implement rootless mode
Please refer to docs/rootless.md Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
- Loading branch information
1 parent
ff49ce8
commit 511c7e7
Showing
37 changed files
with
4,321 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Rootless mode (Experimental) | ||
|
||
Requirements: | ||
- runc with https://github.com/opencontainers/runc/pull/1688 | ||
- Some distros such as Arch Linux require `echo 1 > /proc/sys/kernel/unprivileged_ns_clone` | ||
|
||
|
||
## Terminal 1: | ||
|
||
``` | ||
$ unshare -U -m | ||
unshared$ echo $$ | ||
3539 | ||
``` | ||
|
||
Unsharing mountns (and userns) is required for mounting filesystems without real root privileges. | ||
|
||
## Terminal 2: | ||
|
||
``` | ||
$ id -u | ||
1001 | ||
$ grep $(whoami) /etc/subuid | ||
suda:231072:65536 | ||
$ grep $(whoami) /etc/subgid | ||
suda:231072:65536 | ||
$ newuidmap 3539 0 1001 1 1 231072 65536 | ||
$ newgidmap 3539 0 1001 1 1 231072 65536 | ||
``` | ||
|
||
## Terminal 1: | ||
|
||
``` | ||
unshared# buildkitd --root /home/suda/.local/share/buildkit --addr unix:///run/user/1001/buildkitd.sock --containerd-worker false --oci-worker-overlayfs=false --root | ||
less | ||
``` | ||
|
||
- On Ubuntu, no need to specify `--oci-worker-overlayfs` to `false`, as unprivileged overlayfs is supported: http://kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/fs/overlayfs?h=Ubuntu-4.13.0-25.29&id=0a414bdc3d01f3b61ed86cfe3ce8b63a9240eba7 | ||
- containerd worker is not supported ( pending PR: https://github.com/containerd/containerd/pull/2006 ) | ||
|
||
## Terminal 2: | ||
|
||
``` | ||
$ go run ./examples/buildkit0 | buildctl --addr unix:///run/user/1001/buildkitd.sock build | ||
``` | ||
|
||
- `apt` is not supported (pending PRs: https://github.com/opencontainers/runc/pull/1693 https://github.com/opencontainers/runc/pull/1692 ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
package oci | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/containerd/containerd/containers" | ||
"github.com/containerd/containerd/oci" | ||
"github.com/opencontainers/runc/libcontainer/specconv" | ||
specs "github.com/opencontainers/runtime-spec/specs-go" | ||
) | ||
|
||
// WithRootless sets the container to be rootless mode. | ||
// This function will be removed when containerd/containerd#2006 gets merged | ||
func WithRootless(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { | ||
specconv.ToRootless(s) | ||
// without removing CgroupsPath, runc fails: | ||
// "process_linux.go:279: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/default: permission denied\"" | ||
s.Linux.CgroupsPath = "" | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
122 changes: 122 additions & 0 deletions
122
vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
6 changes: 6 additions & 0 deletions
6
vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_windows.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.