basic support for running in an user namespace #1729
Conversation
k8s-ci-robot
added
cncf-cla: yes
size/L
giuseppe
force-pushed
the
rootless
branch
3 times, most recently
from
f90d36d
to
91f1dbd
Compare
|
/cc @AkihiroSuda |
|
@giuseppe: GitHub didn't allow me to request PR reviews from the following users: AkihiroSuda. Note that only kubernetes-incubator members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
🎉 I'll try to add cri-o to Usernetes https://github.com/rootless-containers/usernetes How did you test rootless cri-o? |
server/rootless.go
Outdated
|
|
||
| func makeOCIConfigurationRootless(g *generate.Generator) error { | ||
| g.Config.Linux.Resources = nil | ||
| g.Config.Process.OOMScoreAdj = nil |
There was a problem hiding this comment.
I'm not familiar with apparmor yet but probably it does not work with rootless?
There was a problem hiding this comment.
I am not familiar either but I guess it won't work, similarly with SELinux, I'll force them to ""
There was a problem hiding this comment.
SELinux would work in UserNS. SElinux doesn't care about DAC.
|
@AkihiroSuda I've only used crictl with some basic containers, I'd expect it to fail with more complex ones :-) I am going to test it with Usernetes |
giuseppe
force-pushed
the
rootless
branch
3 times, most recently
from
e3b5bc2
to
9bc3d44
Compare
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
rootless
branch
2 times, most recently
from
11ad164
to
91ef229
Compare
giuseppe
changed the title
|
dropping WIP as I could test it with Usernetes and I am able to deploy a simple POD. |
|
/test all |
lib/config.go
Outdated
| @@ -96,6 +96,9 @@ type RootConfig struct { | |||
| // File-based locking is required when multiple users of lib are | |||
| // present on the same system | |||
| FileLocking bool `toml:"file_locking"` | |||
|
|
|||
| // FileLockingPath specifies the path to use for the locking. | |||
| FileLockingPath bool `toml:"file_locking_path"` | |||
There was a problem hiding this comment.
nit: can we fix this commit to not introduce this as bool and rewrite as string in next commit?
There was a problem hiding this comment.
absolutely, I thought I already did it, apparently I screwed the rebase. Pushed a new version
|
I have one nit, otherwise looks fine 👍 |
server/rootless.go
Outdated
| Destination: "/sys", | ||
| Type: "bind", | ||
| Source: "/sys", | ||
| Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"}, |
There was a problem hiding this comment.
ro, rbind does not make /sys/fs/cgroup read-only recursively, could you cherry-pick https://gist.github.com/AkihiroSuda/889b29c56a3c9b546a843fb03f11d60a ?
There was a problem hiding this comment.
I am seeing an issue when I try to mount cgroup after the /sys/ bind mount. I am trying to fix it in podman first, as the same bind mount is used there and I am using this patch:
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index d9888e99..1bcb92ad 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -44,6 +44,13 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"},
}
g.AddMount(sysMnt)
+ cgroupMnt := spec.Mount{
+ Destination: "/sys/fs/cgroup",
+ Type: "cgroup",
+ Source: "cgroup",
+ Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+ }
+ g.AddMount(cgroupMnt)
}
if rootless.IsRootless() {
g.RemoveMount("/dev/pts")The error I see is:
container_linux.go:336: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:57: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/tmp/test/rootfs\\\" at \\\"/sys/fs/cgroup\\\" caused \\\"stat /tmp/test/rootfs/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service/foo: no such file or directory\\\"\""
There was a problem hiding this comment.
Also, is it possible to exploit it without privileged helpers?
There was a problem hiding this comment.
Sorry you need to compile runc with patched libcontainer/rootfs_linux.go. I'll open PR in a few days.
As the issue won't be exploited without privileged helpers (e.g. pam_cgfs or manual chown invocation), the fix can be postponed.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
I've done another change in the rootless code, now |
|
/test all |
|
/test e2e_rhel |
|
tests are happy. @mrunalp |
Allow to run it in an user namespace. This is only a first step but I was able to run a pod and some basic containers. Leave it undocumented for now as we don't want to stick with this API. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
I forgot to address one comment from @rhatdan, I've included this change now: @@ -19,7 +19,6 @@ func makeOCIConfigurationRootless(g *generate.Generator) error {
g.Config.Linux.Resources = nil
g.Config.Process.OOMScoreAdj = nil
g.Config.Process.ApparmorProfile = ""
- g.Config.Process.SelinuxLabel = ""looks like we need to test again :-( /test all |
- What I did
fixed some issues to allow CRI-O running in an user namespace
- How I did it
Allow to configure all directories used by CRI-O
- How to verify it
create a namespace, and run CRI-O with a configuration file where all directories are writeable by the user