Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] [CLI] Support rootless containerd #687

Open
Kern-- opened this issue Jun 23, 2023 · 0 comments · May be fixed by #950
Open

[FEATURE] [CLI] Support rootless containerd #687

Kern-- opened this issue Jun 23, 2023 · 0 comments · May be fixed by #950
Labels
feature New feature or request

Comments

@Kern--
Copy link
Contributor

Kern-- commented Jun 23, 2023

Description

Containerd/nerdctl have instructions for setting up a rootless containerd with rootlesskit. What this does is it launches containerd in a user namespace with some additional tools so that it can setup containers without root.

Nerdctl has a special code path to enter the containerd namespace when not running as root by re-execing itself.

The SOCI CLI doesn't have this, so in order to work with rootless containerd, users need to manually enter the namespace before running SOCI commands:

$ pid=$(cat $XDG_RUNTIME_DIR/containerd-rootless/child_pid)
$ nsenter --user --mount --target $pid

After these commands, the new shell that the user finds themselves in works as expected:

# soci create docker.io/library/rabbitmq:latest
layer sha256:685bcbcad0b80b451a2415d07660eee735255aebf24055f0373ad754e8a43ec7 -> ztoc skipped
layer sha256:db610c556cbba7c80925a3c63541e67b83115ce413433a9ee10c814f81755df2 -> ztoc skipped
layer sha256:046b2545f90296ab8ebbfe6f83bc8a6cb48d3b5687c63e0b876ba3e32a6198d7 -> ztoc skipped
layer sha256:be93a5592724b5b988c99fd89f1de826660e326542ac0d8c5349134449d4c73c -> ztoc skipped
layer sha256:8733cec7e1ec21393fac1f2e08a0378b235ef2a96042926bfaa1c12441aba22c -> ztoc skipped
layer sha256:9d03529088ec86fd9d0df9ff4a95508f3df5372db5ea3c9c14d24b796dada8e1 -> ztoc skipped
layer sha256:c37a463dc99cf3733550357349eaeb27d4ce00e2e873b9c1bd3a0f7e8d4b8094 -> ztoc skipped
layer sha256:c414cb9e1350361b7afd48be1ff0382065a228d71fdd7d7d7af8ff6fee5643a5 -> ztoc sha256:8fa3584379f7df8141c979722cab39e2115b25331fd4062b48293fba9ef9781a
layer sha256:3f94e4e483ea634d7ab0b63649b8f72f8b721d4c626297fd0edae0abea1df9e9 -> ztoc sha256:805231d2f14576ca61fdcb8b5cfe592dca9e5da1868f02d1ee2bb3c0bdb907e0
layer sha256:396c21d32d40bd506b1a76329731cc252b2c00166e161a185040ea2c380117c4 -> ztoc sha256:b728ffaf64cb75febe818952993b51e98089a4332925494a60f6800a3ad38ca3

The snapshotter is specifically out of scope for this issue. I will create a follow up for that because it involves some thinking around how we get the snapshotter installed. Maybe we have an optional install script that modifies the rootless containerd config?

Describe the solution you'd like

SOCI should be able to run with rootless containerd without any special set up on the user's behalf.

Describe any alternative solutions/features you've considered

No response

Any additional context or information about the feature request

No response
@Kern-- Kern-- added the feature New feature or request label Jun 23, 2023
@tuananh tuananh linked a pull request Nov 19, 2023 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request
Projects
soci-snapshotter
Status: 📋 Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: re-exec if rootless using nsenter tuananh/soci-snapshotter
1 participant
@Kern--