Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
implement rootless mode
Please refer to docs/rootless.md Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
- Loading branch information
Showing
with
4,321 additions
and 10 deletions.
- +6 −0 cmd/buildkitd/main.go
- +3 −0 cmd/buildkitd/main_containerd_worker.go
- +10 −1 cmd/buildkitd/main_oci_worker.go
- +47 −0 docs/rootless.md
- +20 −0 executor/oci/rootless.go
- +16 −2 executor/runcexecutor/executor.go
- +1 −0 vendor.conf
- +61 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go
- +122 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
- +6 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_windows.go
- +348 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
- +61 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go
- +57 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
- +111 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
- +9 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/hugepage_limit.go
- +7 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
- +14 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/interface_priority_map.go
- +39 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go
- +5 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces.go
- +122 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
- +31 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go
- +13 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go
- +8 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go
- +72 −0 vendor/github.com/opencontainers/runc/libcontainer/configs/network.go
- +76 −0 vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go
- +258 −0 vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go
- +24 −0 vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go
- +221 −0 vendor/github.com/opencontainers/runc/libcontainer/specconv/example.go
- +830 −0 vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go
- +93 −0 vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
- +127 −0 vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
- +44 −0 vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
- +22 −0 vendor/github.com/seccomp/libseccomp-golang/LICENSE
- +51 −0 vendor/github.com/seccomp/libseccomp-golang/README
- +864 −0 vendor/github.com/seccomp/libseccomp-golang/seccomp.go
- +508 −0 vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
- +14 −7 worker/runc/runc.go
@@ -0,0 +1,47 @@ | ||
# Rootless mode (Experimental) | ||
|
||
Requirements: | ||
- runc with https://github.com/opencontainers/runc/pull/1688 | ||
- Some distros such as Arch Linux require `echo 1 > /proc/sys/kernel/unprivileged_ns_clone` | ||
|
||
|
||
## Terminal 1: | ||
|
||
``` | ||
$ unshare -U -m | ||
unshared$ echo $$ | ||
3539 | ||
``` | ||
|
||
Unsharing mountns (and userns) is required for mounting filesystems without real root privileges. | ||
|
||
## Terminal 2: | ||
|
||
``` | ||
$ id -u | ||
1001 | ||
$ grep $(whoami) /etc/subuid | ||
suda:231072:65536 | ||
$ grep $(whoami) /etc/subgid | ||
suda:231072:65536 | ||
$ newuidmap 3539 0 1001 1 1 231072 65536 | ||
$ newgidmap 3539 0 1001 1 1 231072 65536 | ||
``` | ||
|
||
## Terminal 1: | ||
|
||
``` | ||
unshared# buildkitd --root /home/suda/.local/share/buildkit --addr unix:///run/user/1001/buildkitd.sock --containerd-worker false --oci-worker-overlayfs=false --root | ||
less | ||
``` | ||
|
||
- On Ubuntu, no need to specify `--oci-worker-overlayfs` to `false`, as unprivileged overlayfs is supported: http://kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/fs/overlayfs?h=Ubuntu-4.13.0-25.29&id=0a414bdc3d01f3b61ed86cfe3ce8b63a9240eba7 | ||
- containerd worker is not supported ( pending PR: https://github.com/containerd/containerd/pull/2006 ) | ||
|
||
## Terminal 2: | ||
|
||
``` | ||
$ go run ./examples/buildkit0 | buildctl --addr unix:///run/user/1001/buildkitd.sock build | ||
``` | ||
|
||
- `apt` is not supported (pending PRs: https://github.com/opencontainers/runc/pull/1693 https://github.com/opencontainers/runc/pull/1692 ) |
@@ -0,0 +1,20 @@ | ||
package oci | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/containerd/containerd/containers" | ||
"github.com/containerd/containerd/oci" | ||
"github.com/opencontainers/runc/libcontainer/specconv" | ||
specs "github.com/opencontainers/runtime-spec/specs-go" | ||
) | ||
|
||
// WithRootless sets the container to be rootless mode. | ||
// This function will be removed when containerd/containerd#2006 gets merged | ||
func WithRootless(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { | ||
specconv.ToRootless(s) | ||
// without removing CgroupsPath, runc fails: | ||
// "process_linux.go:279: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/default: permission denied\"" | ||
s.Linux.CgroupsPath = "" | ||
return nil | ||
} |
Oops, something went wrong.