$ mkdir -p ~/.config/containerd
$ vi ~/.config/containerd/config.toml
(you can use `dotconfig_containetd_config.toml` as a template)
$ unshare -U -m
unshared$ echo $$
3539
Unsharing mountns (and userns) is required for mounting overlayfs.
$ id -u
1001
$ grep $(whoami) /etc/subuid
suda:231072:65536
$ grep $(whoami) /etc/subgid
suda:231072:65536
$ newuidmap 3539 0 1001 1 1 231072 65536
$ newgidmap 3539 0 1001 1 1 231072 65536
unshared# echo "root:1:65536" > ~/.config/containerd/subuidgid
unshared# mount --bind --ro ~/.config/containerd/subuidgid /etc/subuid
unshared# mount --bind --ro ~/.config/containerd/subuidgid /etc/subgid
unshared# mount -t tmpfs none /run/containerd
- Mounting
/etc/sub{u,g}id
is needed for enablingnewuidmap(1)
andnewgidmap(1)
to be called from runc to enablesetgroups(2)
within containers. (needed for e.g. apt) - Mounting
/run/containerd
is needed for issue XXXXX. (runtimes.linux.runtime_root
is not hornored)
unshared# containerd -c ~/.config/containerd/config.toml
$ nsenter -U -m -t 3539
unshared# ctr -a /run/user/1001/containerd/containerd.sock images pull docker.io/library/alpine:latest
unshared# ctr -a /run/user/1001/containerd/containerd.sock run -t --rm --rootless --fifo-dir /run/user/1001/containerd/fifo docker.io/library/alpine:latest foo
container# echo "nameserver 8.8.8.8" > /etc/resolv.conf
container# apk update
container# apk add fortune
Make sure you can also execute apt and yum,
- The container works in host netns, but
--host-net
fails for some bind-mount error.